Bug 601422 - Crash [@ nsImageDocument::ShrinkToFit] in removed frame. r=Olli.Pettay a=jst

content/html/document/crashtests/601422.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+
+function boom()
+{
+  var frame = document.getElementById("f");
+  var frameDoc = frame.contentDocument;
+  document.body.removeChild(frame);
+  try { frameDoc.shrinkToFit(); }catch(e){}
+  try { frameDoc.restoreImageTo(1,1); }catch(e){}
+  try { frameDoc.restoreImage(); }catch(e){}
+  try { frameDoc.toggleImageSize(); }catch(e){}
+}
+
+</script>
+</head>
+
+<body onload="boom();">
+<iframe id="f" src="data:image/gif;base64,R0lGODlhAQABAID/AP///wAAACwAAAAAAQABAAACAkQBADs="></iframe>
+</body>
+</html>

content/html/document/crashtests/crashtests.list

@@ -11,3 +11,4 @@ load 468562-2.html
 load 494225.html
 load 495543.svg
 load 564461.xhtml
+load 601422.html

content/html/document/src/nsImageDocument.cpp

@@ -436,6 +436,9 @@ nsImageDocument::GetImageRequest(imgIRequest** aImageRequest)
 NS_IMETHODIMP
 nsImageDocument::ShrinkToFit()
 {
+  if (!mImageContent) {
+    return NS_OK;
+  }
   if (GetZoomLevel() != mOriginalZoomLevel && mImageIsResized &&
       !nsContentUtils::IsChildOfSameType(this)) {
     return NS_OK;
@@ -495,6 +498,9 @@ nsImageDocument::ScrollImageTo(PRInt32 aX, PRInt32 aY, PRBool restoreImage)
 NS_IMETHODIMP
 nsImageDocument::RestoreImage()
 {
+  if (!mImageContent) {
+    return NS_OK;
+  }
   // Keep image content alive while changing the attributes.
   nsCOMPtr<nsIContent> imageContent = mImageContent;
   imageContent->UnsetAttr(kNameSpaceID_None, nsGkAtoms::width, PR_TRUE);