From b117c7ed806d5fe9bebc1e4eef2ec1b3e0778da2 Mon Sep 17 00:00:00 2001 From: "Olli.Pettay%helsinki.fi" Date: Sun, 11 Feb 2007 00:30:20 +0000 Subject: [PATCH] Bug 197052, crash/hang when using innerHTML recursively, r+sr=jst --- content/html/document/src/nsHTMLDocument.cpp | 8 ++++++++ content/html/document/src/nsHTMLDocument.h | 2 ++ 2 files changed, 10 insertions(+) diff --git a/content/html/document/src/nsHTMLDocument.cpp b/content/html/document/src/nsHTMLDocument.cpp index c22c99c2527..152307a0ce2 100644 --- a/content/html/document/src/nsHTMLDocument.cpp +++ b/content/html/document/src/nsHTMLDocument.cpp @@ -134,6 +134,8 @@ #include "nsIEditor.h" #include "nsNodeInfoManager.h" +#define NS_MAX_DOCUMENT_WRITE_DEPTH 20 + #define DETECTOR_CONTRACTID_MAX 127 static char g_detector_contractid[DETECTOR_CONTRACTID_MAX + 1]; static PRBool gInitDetector = PR_FALSE; @@ -2275,6 +2277,10 @@ nsresult nsHTMLDocument::WriteCommon(const nsAString& aText, PRBool aNewlineTerminate) { + mTooDeepWriteRecursion = + (mWriteLevel > NS_MAX_DOCUMENT_WRITE_DEPTH || mTooDeepWriteRecursion); + NS_ENSURE_STATE(!mTooDeepWriteRecursion); + if (IsXHTML()) { // No calling document.write*() on XHTML! @@ -2334,6 +2340,8 @@ nsHTMLDocument::WriteCommon(const nsAString& aText, --mWriteLevel; + mTooDeepWriteRecursion = (mWriteLevel != 0 && mTooDeepWriteRecursion); + return rv; } diff --git a/content/html/document/src/nsHTMLDocument.h b/content/html/document/src/nsHTMLDocument.h index f1c01f3ba48..80493f82f2e 100644 --- a/content/html/document/src/nsHTMLDocument.h +++ b/content/html/document/src/nsHTMLDocument.h @@ -325,6 +325,8 @@ protected: PRPackedBool mIsFrameset; + PRPackedBool mTooDeepWriteRecursion; + PRBool IdTableIsLive() const { // live if we've had over 63 misses return (mIdMissCount & 0x40) != 0;