224901 - oom crash in MakeContentObject for form controls

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[timeless]

in mozilla/content/html/document/src/nsHTMLContentSink.cpp
trace MakeContentObject(
 aNodeType=eHTMLTag_input
 aInsideNoXXXTag=false
)
let NS_NewHTMLInputElement fail
execute SetForm
-crash-

Comment 1

[timeless]

Attachment: -uw5p

Comment 2

[timeless]

Comment on attachment 134915 [details] [diff] [review]
-uw5p

i believe all form controls types are covered by the switch (minus the two
which take a different code path) so there's no need for warnings about
unhandled cases.

Comment 3

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

If the methods in question propagate NS_ERROR_OUT_OF_MEMORY properly, shouldn't
you check NS_SUCCEEDED(rv) instead?

Comment 4

[timeless]

Attachment: -uw5p check rv

Comment 5

[timeless]

Comment on attachment 134918 [details] [diff] [review]
-uw5p check rv

indeed (and it matters)

Comment 6

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 134918 [details] [diff] [review]
-uw5p check rv

>+  if (NS_SUCCEEDED(rv) && !aInsideNoXXXTag) {
>   switch (aNodeType) {
>   case eHTMLTag_button:
>   case eHTMLTag_fieldset:
>   case eHTMLTag_label:
>   case eHTMLTag_legend:
>   case eHTMLTag_object:
>   case eHTMLTag_textarea:
>-    if (!aInsideNoXXXTag) {
>       SetForm(*aResult, aForm);
>+    break;
>+    default: ;
>     }
>   }

Fix the wacky indentation of the default: and remove the extra ;, and
r+sr=dbaron, although for future reference I'm probably not the best reviewer
for content sink code.

Comment 7

[timeless]

checked in (note that the whacky indentaiton was a relic of -w) with a break in
default: