From 3e8ab627f8761f50da42df9938381a0503a16f12 Mon Sep 17 00:00:00 2001 From: Cameron McCormack Date: Tue, 20 Nov 2018 07:01:49 +0000 Subject: [PATCH] Bug 1507961 - Check that an SVG DOM item wasn't removed from its list before scheduling its animation update r=longsonr Differential Revision: https://phabricator.services.mozilla.com/D12361 --HG-- extra : moz-landing-system : lando --- dom/svg/DOMSVGLength.cpp | 4 +- dom/svg/DOMSVGNumber.cpp | 4 +- dom/svg/DOMSVGPathSeg.cpp | 4 +- dom/svg/DOMSVGPoint.cpp | 4 +- dom/svg/SVGTransform.cpp | 4 +- dom/svg/crashtests/1507961-1.html | 4066 ++++++++++++++++++++++++++++ dom/svg/crashtests/crashtests.list | 1 + 7 files changed, 4082 insertions(+), 5 deletions(-) create mode 100644 dom/svg/crashtests/1507961-1.html diff --git a/dom/svg/DOMSVGLength.cpp b/dom/svg/DOMSVGLength.cpp index 40911ba281bd..19907d1bd7b2 100644 --- a/dom/svg/DOMSVGLength.cpp +++ b/dom/svg/DOMSVGLength.cpp @@ -81,7 +81,9 @@ public: { mLength->Element()->DidChangeLengthList(mLength->mAttrEnum, mEmptyOrOldValue); - if (mLength->mList->IsAnimating()) { + // Null check mLength->mList, since DidChangeLengthList can run script, + // potentially removing mLength from its list. + if (mLength->mList && mLength->mList->IsAnimating()) { mLength->Element()->AnimationNeedsResample(); } } diff --git a/dom/svg/DOMSVGNumber.cpp b/dom/svg/DOMSVGNumber.cpp index 60ccb2b05169..c863f153d1fa 100644 --- a/dom/svg/DOMSVGNumber.cpp +++ b/dom/svg/DOMSVGNumber.cpp @@ -70,7 +70,9 @@ public: { mNumber->Element()->DidChangeNumberList(mNumber->mAttrEnum, mEmptyOrOldValue); - if (mNumber->mList->IsAnimating()) { + // Null check mNumber->mList, since DidChangeNumberList can run script, + // potentially removing mNumber from its list. + if (mNumber->mList && mNumber->mList->IsAnimating()) { mNumber->Element()->AnimationNeedsResample(); } } diff --git a/dom/svg/DOMSVGPathSeg.cpp b/dom/svg/DOMSVGPathSeg.cpp index 0164b9a6121f..78a73281a8fd 100644 --- a/dom/svg/DOMSVGPathSeg.cpp +++ b/dom/svg/DOMSVGPathSeg.cpp @@ -63,7 +63,9 @@ public: ~AutoChangePathSegNotifier() { mPathSeg->Element()->DidChangePathSegList(mEmptyOrOldValue); - if (mPathSeg->mList->AttrIsAnimating()) { + // Null check mPathSeg->mList, since DidChangePathSegList can run script, + // potentially removing mPathSeg from its list. + if (mPathSeg->mList && mPathSeg->mList->AttrIsAnimating()) { mPathSeg->Element()->AnimationNeedsResample(); } } diff --git a/dom/svg/DOMSVGPoint.cpp b/dom/svg/DOMSVGPoint.cpp index fa87ee189933..c1c0ec75561a 100644 --- a/dom/svg/DOMSVGPoint.cpp +++ b/dom/svg/DOMSVGPoint.cpp @@ -40,7 +40,9 @@ public: ~AutoChangePointNotifier() { mPoint->Element()->DidChangePointList(mEmptyOrOldValue); - if (mPoint->mList->AttrIsAnimating()) { + // Null check mPoint->mList, since DidChangePointList can run script, + // potentially removing mPoint from its list. + if (mPoint->mList && mPoint->mList->AttrIsAnimating()) { mPoint->Element()->AnimationNeedsResample(); } } diff --git a/dom/svg/SVGTransform.cpp b/dom/svg/SVGTransform.cpp index 435b6794ebcc..1d2bd157b0df 100644 --- a/dom/svg/SVGTransform.cpp +++ b/dom/svg/SVGTransform.cpp @@ -90,7 +90,9 @@ public: { if (mTransform->HasOwner()) { mTransform->Element()->DidChangeTransformList(mEmptyOrOldValue); - if (mTransform->mList->IsAnimating()) { + // Null check mTransform->mList, since DidChangeTransformList can run + // script, potentially removing mTransform from its list. + if (mTransform->mList && mTransform->mList->IsAnimating()) { mTransform->Element()->AnimationNeedsResample(); } } diff --git a/dom/svg/crashtests/1507961-1.html b/dom/svg/crashtests/1507961-1.html new file mode 100644 index 000000000000..a94d5872fb17 --- /dev/null +++ b/dom/svg/crashtests/1507961-1.html @@ -0,0 +1,4066 @@ + + + + + + + + + +
+[a + +
+ +^iVw;'u1fo^L7$C +NG+]s9<^/I[=LD\ft/ + + + + +"#XR_tF_[/W~~E + + + + + + + + + + + + + + + +f#1s=6$E"d;f + +