Bug 1380800 - Correct index check in ServoStyleSheet.deleteRule. r?heycam
MozReview-Commit-ID: GZz0g9x4WdS
--- a/layout/style/ServoStyleSheet.cpp
+++ b/layout/style/ServoStyleSheet.cpp
@@ -409,17 +409,17 @@ ServoStyleSheet::InsertRuleInternal(cons
return aIndex;
}
void
ServoStyleSheet::DeleteRuleInternal(uint32_t aIndex, ErrorResult& aRv)
{
// Ensure mRuleList is constructed.
GetCssRulesInternal();
- if (aIndex > mRuleList->Length()) {
+ if (aIndex >= mRuleList->Length()) {
aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR);
return;
}
mozAutoDocUpdate updateBatch(mDocument, UPDATE_STYLE, true);
// Hold a strong ref to the rule so it doesn't die when we remove it
// from the list. XXX We may not want to hold it if stylesheet change
// event is not enabled.
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/1380800.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<style></style>
+<script>
+document.styleSheets[0].deleteRule(0);
+</script>
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -173,9 +173,10 @@ load 1356601-1.html
load 1370793-1.xhtml
load 1374175-1.html
load content-only-on-link-before.html
load content-only-on-visited-before.html
load 1375812-1.html
load 1377053-1.html
load 1377256-1.html
load 1378814.html
+load 1380800.html
load link-transition-before.html
