Bugzilla

Would these be valid entry points? They appear to lead to the vulnerable sink and call scroll sync

PresShell.cpp
```
NS_IMETHODIMP
PresShell::PageMove(bool aForward, bool aExtend) {
printf("PresShell::PageMove step 1\n");
nsIFrame* frame = nullptr;
if (!aExtend) {
frame = do_QueryFrame(GetScrollableFrameToScroll(nsIPresShell::eVertical));
// If there is no scrollable frame, get the frame to move caret instead.
}
if (!frame) {
frame = mSelection->GetFrameToPageSelect();
if (!frame) {
return NS_OK;
}
}
RefPtr<nsFrameSelection> frameSelection = mSelection;
frameSelection->CommonPageMove(aForward, aExtend, frame);
// After ScrollSelectionIntoView(), the pending notifications might be
// flushed and PresShell/PresContext/Frames may be dead. See bug 418470.
return ScrollSelectionIntoView(
nsISelectionController::SELECTION_NORMAL,
nsISelectionController::SELECTION_FOCUS_REGION,
nsISelectionController::SCROLL_SYNCHRONOUS |
nsISelectionController::SCROLL_FOR_CARET_MOVE); //this call it
}
```
nsTypeAheadFind.cpp
```
nsresult nsTypeAheadFind::FindItNow(nsIPresShell* aPresShell, bool aIsLinksOnly,
bool aIsFirstVisiblePreferred,
bool aFindPrev, uint16_t* aResult) {
...SNIP...

  // Change selection color to ATTENTION and scroll to it.  Careful: we
  // must wait until after we goof with focus above before changing to
  // ATTENTION, or when we MoveFocus() and the selection is not on a
  // link, we'll blur, which will lose the ATTENTION.
  if (selectionController) {
    // Beware! This may flush notifications via synchronous
    // ScrollSelectionIntoView.
    SetSelectionModeAndRepaint(nsISelectionController::SELECTION_ATTENTION);
    selectionController->ScrollSelectionIntoView(
        nsISelectionController::SELECTION_NORMAL,
        nsISelectionController::SELECTION_WHOLE_SELECTION,
        nsISelectionController::SCROLL_CENTER_VERTICALLY |
            nsISelectionController::SCROLL_SYNCHRONOUS);
  }

...SNIP...
```

I think there might be others too.

Fixed formating hopefully... Sorry for double post