bug 428288 chrome crash in nsDocShell::ValidateOrigin, problem found by timeless, r/sr=bzbarsky, a=beltzner

2008-04-12 14:18:06 -07:00 · 2008-04-12 14:18:06 -07:00 · 54f63f471d
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@ -1086,11 +1086,11 @@ nsDocShell::ValidateOrigin(nsIDocShellTreeItem* aOriginTreeItem,
    nsCOMPtr<nsIURI> innerTargetURI;

    rv = originDocument->NodePrincipal()->GetURI(getter_AddRefs(originURI));
-    if (NS_SUCCEEDED(rv))
+    if (NS_SUCCEEDED(rv) && originURI)
        innerOriginURI = NS_GetInnermostURI(originURI);

    rv = targetDocument->NodePrincipal()->GetURI(getter_AddRefs(targetURI));
-    if (NS_SUCCEEDED(rv))
+    if (NS_SUCCEEDED(rv) && targetURI)
        innerTargetURI = NS_GetInnermostURI(targetURI);

    return innerOriginURI && innerTargetURI &&
--- a/docshell/test/chrome/Makefile.in
+++ b/docshell/test/chrome/Makefile.in
@ -48,6 +48,7 @@ _TEST_FILES =	\
 		bug364461_window.xul \
 		test_bug396519.xul \
 		bug396519_window.xul \
+		test_bug428288.html \
 		$(NULL)

 libs:: $(_TEST_FILES)
--- a/docshell/test/chrome/test_bug428288.html
+++ b/docshell/test/chrome/test_bug428288.html
@ -0,0 +1,38 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=428288
+-->
+<head>
+  <title>Test for Bug 428288</title>
+  <script type="text/javascript" src="chrome://mochikit/content/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=428288">Mozilla Bug 428288</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  <iframe name="target"></iframe>
+  <a id="crashy" target="target" href="http://www.mozilla.com">crash me</a>
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 428288 **/
+
+function makeClick() {
+  var event = document.createEvent("MouseEvents");
+  event.initMouseEvent("click", true, true, window, 0, 0,0,0,0,
+                        false, false, false, false, 0, null);
+  document.getElementById("crashy").dispatchEvent(event);
+  return true;
+}
+
+ok(makeClick(), "Crashes if bug 428288 is present");
+
+</script>
+</pre>
+</body>
+</html>
+