Bug 1383780 - Null-check return value of SVGUseElement::GetContentURLData before returning. r?bz
MozReview-Commit-ID: 19X22AVQ4Gg
--- a/dom/base/FragmentOrElement.cpp
+++ b/dom/base/FragmentOrElement.cpp
@@ -378,17 +378,19 @@ nsIContent::GetLang() const
already_AddRefed<nsIURI>
nsIContent::GetBaseURI(bool aTryUseXHRDocBaseURI) const
{
if (IsInAnonymousSubtree() && IsAnonymousContentInSVGUseSubtree()) {
nsIContent* bindingParent = GetBindingParent();
MOZ_ASSERT(bindingParent);
SVGUseElement* useElement = static_cast<SVGUseElement*>(bindingParent);
// XXX Ignore xml:base as we are removing it.
- return do_AddRef(useElement->GetContentURLData()->BaseURI());
+ if (URLExtraData* data = useElement->GetContentURLData()) {
+ return do_AddRef(data->BaseURI());
+ }
}
nsIDocument* doc = OwnerDoc();
// Start with document base
nsCOMPtr<nsIURI> base = doc->GetBaseURI(aTryUseXHRDocBaseURI);
// Collect array of xml:base attribute values up the parent chain. This
// is slightly slower for the case when there are xml:base attributes, but
@@ -448,17 +450,19 @@ nsIContent::GetBaseURI(bool aTryUseXHRDo
nsIURI*
nsIContent::GetBaseURIWithoutXMLBase() const
{
if (IsInAnonymousSubtree() && IsAnonymousContentInSVGUseSubtree()) {
nsIContent* bindingParent = GetBindingParent();
MOZ_ASSERT(bindingParent);
SVGUseElement* useElement = static_cast<SVGUseElement*>(bindingParent);
- return useElement->GetContentURLData()->BaseURI();
+ if (URLExtraData* data = useElement->GetContentURLData()) {
+ return data->BaseURI();
+ }
}
// This also ignores the case that SVG inside XBL binding.
// But it is probably fine.
return OwnerDoc()->GetDocBaseURI();
}
already_AddRefed<nsIURI>
nsIContent::GetBaseURIForStyleAttr() const
@@ -482,17 +486,19 @@ nsIContent::GetBaseURIForStyleAttr() con
URLExtraData*
nsIContent::GetURLDataForStyleAttr() const
{
if (IsInAnonymousSubtree() && IsAnonymousContentInSVGUseSubtree()) {
nsIContent* bindingParent = GetBindingParent();
MOZ_ASSERT(bindingParent);
SVGUseElement* useElement = static_cast<SVGUseElement*>(bindingParent);
- return useElement->GetContentURLData();
+ if (URLExtraData* data = useElement->GetContentURLData()) {
+ return data;
+ }
}
// We are not going to support xml:base for stylo, but we want to
// ensure we unship that support before we enabling stylo.
MOZ_ASSERT(nsLayoutUtils::StyleAttrWithXMLBaseDisabled());
// This also ignores the case that SVG inside XBL binding.
// But it is probably fine.
return OwnerDoc()->DefaultStyleAttrURLData();
}
new file mode 100644
--- /dev/null
+++ b/dom/base/crashtests/1383780.html
@@ -0,0 +1,21 @@
+<html>
+ <head>
+ <script>
+ try { o1 = document.createElementNS('http://www.w3.org/2000/svg', 'use') } catch(e) { }
+ try { o2 = document.createElement('img') } catch(e) { }
+ try { o4 = document.createElement('area') } catch(e) { }
+ try { o5 = document.createElement('tr') } catch(e) { }
+ try { o6 = document.createRange(); } catch(e) { }
+ try { o7 = window.getSelection() } catch(e) { }
+ try { document.documentElement.appendChild(o1) } catch(e) { }
+ try { document.head.outerHTML = '<progress></progress>'; } catch(e) { }
+ try { o1.appendChild(o2); } catch(e) { }
+ try { o2.appendChild(o4) } catch(e) { }
+ try { o4.appendChild(o5); } catch(e) { }
+ try { document.designMode = 'on'; } catch(e) { }
+ try { o6.selectNode(o5); } catch(e) { }
+ try { o7.addRange(o6); } catch(e) { }
+ try { document.execCommand('justifyleft', false, null) } catch(e) { }
+ </script>
+ </head>
+</html>
--- a/dom/base/crashtests/crashtests.list
+++ b/dom/base/crashtests/crashtests.list
@@ -215,8 +215,9 @@ load 1370072.html
pref(clipboard.autocopy,true) load 1370737.html
pref(dom.IntersectionObserver.enabled,true) load 1370968.html
load 1377826.html
skip-if(stylo&&isDebugBuild&&winWidget) load structured_clone_container_throws.html # Bug 1383845
HTTP(..) load xhr_abortinprogress.html
load xhr_empty_datauri.html
load xhr_html_nullresponse.html
load 1383478.html
+load 1383780.html