aboutsummaryrefslogblamecommitdiff
path: root/www/waterfox/files/patch-bug1401726
blob: a4697e6263c1af1103dbfe109b52909fc445ef73 (plain) (tree) 
37f3525f6e50




























































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60




























































                                                                                  
commit ccbee985a281
Author: John Dai <jdai@mozilla.com>
Date:   Thu Sep 21 16:32:18 2017 +0800

    Bug 1401726 - Fix crash in nsLabelsNodeList::PopulateSelf. r=smaug, a=sledru
    
    From 045228df087f7612bde09d2f715ec33f2aaf777c Mon Sep 17 00:00:00 2001
---
 dom/base/nsContentList.cpp          |  4 +++-
 dom/html/crashtests/1401726.html    | 17 +++++++++++++++++
 dom/html/crashtests/crashtests.list |  1 +
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git dom/base/nsContentList.cpp dom/base/nsContentList.cpp
index f943039e7fca..9b7bd6323aa8 100644
--- dom/base/nsContentList.cpp
+++ dom/base/nsContentList.cpp
@@ -1266,7 +1266,9 @@ nsLabelsNodeList::MaybeResetRoot(nsINode* aRootNode)
 void
 nsLabelsNodeList::PopulateSelf(uint32_t aNeededLength)
 {
-  MOZ_ASSERT(mRootNode, "Must have root");
+  if (!mRootNode) {
+    return;
+  }
 
   // Start searching at the root.
   nsINode* cur = mRootNode;
diff --git dom/html/crashtests/1401726.html dom/html/crashtests/1401726.html
new file mode 100644
index 000000000000..bf4b4918abd4
--- /dev/null
+++ dom/html/crashtests/1401726.html
@@ -0,0 +1,17 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script>
+    try { o1 = document.createElement('button') } catch(e) { }
+    try { o2 = document.createElement('p') } catch(e) { }
+    try { o3 = o1.labels } catch(e) { }
+    try { o4 = document.createNSResolver(document.documentElement) } catch(e) { }
+    try { o5 = document.createRange(); } catch(e) { }
+    try { document.documentElement.appendChild(o1) } catch(e) { }
+    try { o5.selectNode(o4); } catch(e) { }
+    try { o5.surroundContents(o2) } catch(e) { }
+    try { o5.surroundContents(o2) } catch(e) { }
+    try { o1.labels.length } catch(e) { }
+</script>
+</head>
+</html>
diff --git dom/html/crashtests/crashtests.list dom/html/crashtests/crashtests.list
index a60cc9f99474..581ed10cefc8 100644
--- dom/html/crashtests/crashtests.list
+++ dom/html/crashtests/crashtests.list
@@ -83,3 +83,4 @@ load 1343886-2.xml
 load 1343886-3.xml
 asserts(0-3) load 1350972.html
 load 1386905.html
+asserts(0-4) load 1401726.html
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 14:48:45 +0000