From bc531bfbbaf0da9069b87b02d55190c80275e21b Mon Sep 17 00:00:00 2001
From: Moonchild <moonchild@palemoon.org>
Date: Wed, 30 Sep 2020 16:02:17 +0000
Subject: Issue #1643 - Follow-up: Make sure things aren't changed while
 iterating.

This fixes some crashing scenarios.
---
 dom/base/ResizeObserverController.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'dom')

diff --git a/dom/base/ResizeObserverController.cpp b/dom/base/ResizeObserverController.cpp
index 117e67fbf..acc401a5e 100644
--- a/dom/base/ResizeObserverController.cpp
+++ b/dom/base/ResizeObserverController.cpp
@@ -118,6 +118,10 @@ ResizeObserverController::Notify()
     return;
   }
 
+  // Hold a strong reference to the document, because otherwise calling
+  // all active observers on it might yank it out from under us.
+  RefPtr<nsIDocument> document(mDocument);
+  
   uint32_t shallowestTargetDepth = 0;
 
   GatherAllActiveObservations(shallowestTargetDepth);
@@ -152,7 +156,7 @@ ResizeObserverController::Notify()
     nsEventStatus status = nsEventStatus_eIgnore;
 
     nsCOMPtr<nsPIDOMWindowInner> window =
-      mDocument->GetWindow()->GetCurrentInnerWindow();
+      document->GetWindow()->GetCurrentInnerWindow();
 
     if (window) {
       nsCOMPtr<nsIScriptGlobalObject> sgo = do_QueryInterface(window);
@@ -184,7 +188,11 @@ ResizeObserverController::BroadcastAllActiveObservations()
 {
   uint32_t shallowestTargetDepth = UINT32_MAX;
 
-  for (auto observer : mResizeObservers) {
+  // Use a copy of the observers as this invokes the callbacks of the observers
+  // which could register/unregister observers at will.
+  nsTArray<RefPtr<ResizeObserver>> tempObservers(mResizeObservers);
+  
+  for (auto observer : tempObservers) {
 
     uint32_t targetDepth = observer->BroadcastActiveObservations();
 
-- 
cgit v1.2.3