Bug 1406109 - Return early after selector parsing failure in matches(). r=emilio

MozReview-Commit-ID: 6qXvrQ0eigI --HG-- extra : rebase_source : 2355ccfef79e657e04bbaddfcaa9da63015076e5
2017-10-06 14:16:13 +08:00 · 2017-10-06 14:16:13 +08:00 · c970a23771
--- a/dom/base/crashtests/1406109-1.html
+++ b/dom/base/crashtests/1406109-1.html
@ -0,0 +1,10 @@
+<html>
+<head>
+<script>
+function jsfuzzer() {
+  try { a.matches("1"); } catch(e) { }
+  try { document.createElement("p").closest("1"); } catch(e) { }
+}
+</script>
+<body onload=jsfuzzer()>
+<feBlend id="a" />
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@ -227,3 +227,4 @@ pref(clipboard.autocopy,true) load 1385272-1.html
 load 1393806.html
 load 1400701.html
 load 1403377.html
+load 1406109-1.html
--- a/dom/base/nsINode.cpp
+++ b/dom/base/nsINode.cpp
@ -2694,6 +2694,7 @@ nsINode::ParseServoSelectorList(
        NS_LITERAL_CSTRING("'") + NS_ConvertUTF16toUTF8(aSelectorString) +
        NS_LITERAL_CSTRING("' is not a valid selector")
      );
+      return nullptr;
    }

    // FIXME(emilio): Make this private and use `WithSelectorList` everywhere,
@ -2732,6 +2733,7 @@ nsINode::ParseSelectorList(const nsAString& aSelectorString,
        NS_LITERAL_CSTRING("'") + NS_ConvertUTF16toUTF8(aSelectorString) +
        NS_LITERAL_CSTRING("' is not a valid selector")
      );
+      return nullptr;
    }

    // FIXME(emilio): Make this private and use `WithSelectorList` everywhere,