Bug 927558 - Missing null check in Selection::GetPrimaryFrameForFocusNode; r=ehsan

2014-04-02 19:01:01 +03:00 · 2014-04-02 19:01:01 +03:00 · 8e45d99ffe
--- a/layout/generic/crashtests/927558.html
+++ b/layout/generic/crashtests/927558.html
@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<meta charset="UTF-8">
+<script>
+
+function boom()
+{
+  var range = document.createRange();
+  range.setStart(document.documentElement, 0);
+  var frame = document.getElementById("f");
+  var frameSel = frame.contentWindow.getSelection();
+  document.body.removeChild(frame);
+  frameSel.addRange(range);
+  frameSel.modify("move", "right", "character");
+}
+
+</script>
+</head>
+
+<body onload="boom();">
+<iframe id="f" src="data:text/html,<!doctype html>1"></iframe>
+
+
+</body></html>
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@ -522,6 +522,7 @@ load 893496-1.html
 load 893523.html
 test-pref(layout.css.sticky.enabled,true) load 914891.html
 test-pref(layout.css.sticky.enabled,true) load 915475.xhtml
+load 927558.html
 load 943509-1.html
 asserts(4-8) load 944909-1.html
 test-pref(layout.css.sticky.enabled,true) load 949932.html
--- a/layout/generic/nsSelection.cpp
+++ b/layout/generic/nsSelection.cpp
@ -3875,8 +3875,6 @@ Selection::GetPrimaryFrameForFocusNode(nsIFrame** aReturnFrame,
  if (!content || !mFrameSelection)
    return NS_ERROR_FAILURE;
  
-  nsIPresShell *presShell = mFrameSelection->GetShell();
-
  int32_t frameOffset = 0;
  *aReturnFrame = 0;
  if (!aOffsetUsed)
@ -3885,6 +3883,10 @@ Selection::GetPrimaryFrameForFocusNode(nsIFrame** aReturnFrame,
  nsFrameSelection::HINT hint = mFrameSelection->GetHint();

  if (aVisual) {
+    nsIPresShell *presShell = mFrameSelection->GetShell();
+    if (!presShell)
+      return NS_ERROR_FAILURE;
+
    nsRefPtr<nsCaret> caret = presShell->GetCaret();
    if (!caret)
      return NS_ERROR_FAILURE;