From aad387a7cd0a3dec4ce3b30719660578f997bc16 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Thu, 13 Jul 2017 23:46:59 -0400 Subject: [PATCH] Bug 1378147. Hold strong refs to elements when calling various functions that can run script. r=mystor --- dom/html/ImageDocument.cpp | 8 ++++++-- xpfe/appshell/nsXULWindow.cpp | 3 ++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/dom/html/ImageDocument.cpp b/dom/html/ImageDocument.cpp index 58164dc7eeea..9f444f0fba30 100644 --- a/dom/html/ImageDocument.cpp +++ b/dom/html/ImageDocument.cpp @@ -352,7 +352,9 @@ ImageDocument::ShrinkToFit() // changed and we don't plan to adjust the image size to compensate. Since // mImageIsResized it has a "height" attribute set, and we can just get the // displayed image height by getting .height on the HTMLImageElement. - HTMLImageElement* img = HTMLImageElement::FromContent(mImageContent); + // + // Hold strong ref, because Height() can run script. + RefPtr img = HTMLImageElement::FromContent(mImageContent); uint32_t imageHeight = img->Height(); nsDOMTokenList* classList = img->ClassList(); ErrorResult ignored; @@ -652,7 +654,9 @@ ImageDocument::UpdateSizeFromLayout() return; } - nsIFrame* contentFrame = mImageContent->GetPrimaryFrame(FlushType::Frames); + // Need strong ref, because GetPrimaryFrame can run script. + nsCOMPtr imageContent = mImageContent; + nsIFrame* contentFrame = imageContent->GetPrimaryFrame(FlushType::Frames); if (!contentFrame) { return; } diff --git a/xpfe/appshell/nsXULWindow.cpp b/xpfe/appshell/nsXULWindow.cpp index 3b38efe3dada..5926c052f721 100644 --- a/xpfe/appshell/nsXULWindow.cpp +++ b/xpfe/appshell/nsXULWindow.cpp @@ -1797,7 +1797,8 @@ nsXULWindow::GetPrimaryTabParentSize(int32_t* aWidth, int32_t* aHeight) { TabParent* tabParent = TabParent::GetFrom(mPrimaryTabParent); - Element* element = tabParent->GetOwnerElement(); + // Need strong ref, since Client* can run script. + nsCOMPtr element = tabParent->GetOwnerElement(); NS_ENSURE_STATE(element); *aWidth = element->ClientWidth();