11857 - crash in nsHTMLEditor::GetSelectedElement

Status: VERIFIED FIXED

(Core :: DOM: Editor, defect, P3)

Description

[buster]

open the editor with the default home page.
in the second line of text, insert an image anywhere.
select a from few characters in front of the image, to a few characters behind
the image
press the Make Link button.
crash.

Looking at GetSelectedElement, the logic in the loop seems wrong.

bNodeFound is set to true in this snippet:
} else if (TagName == domTagName) { // All other tag names are handled here
  bNodeFound = PR_TRUE;
}

but the loop continues and selectedElement is subsequently set to null.  Then,
when the loop finally terminates, selectedElement no longer points to the
element that was being processed when bNodeFound was set to true.  In this
case, it's null and you crash.

stack:
nsHTMLEditor::GetSelectedElement(nsHTMLEditor * const 0x0a885e24, const nsString
& {...}, nsIDOMElement * * 0x0012df64) line 2136 + 10 bytes
nsEditorShell::GetSelectedElement(nsEditorShell * const 0x0a846d80, const
unsigned short * 0x0ac3e240, nsIDOMElement * * 0x0012df64) line 1771 + 34 bytes
XPTC_InvokeByIndex(nsISupports * 0x0a846d80, unsigned int 44, unsigned int 2,
nsXPTCVariant * 0x0012df54) line 135
nsXPCWrappedNativeClass::CallWrappedMethod(JSContext * 0x0ab55100,
nsXPCWrappedNative * 0x0a9bee30, const XPCNativeMemberDescriptor * 0x010fa080,
nsXPCWrappedNativeClass::CallMode CALL_METHOD, unsigned int 1, long *
0x0114f5c0, long * 0x0012e15c) line 511 + 44 bytes
WrappedNative_CallMethod(JSContext * 0x0ab55100, JSObject * 0x0a4846c8, unsigned
int 1, long * 0x0114f5c0, long * 0x0012e15c) line 130
js_Invoke(JSContext * 0x0ab55100, unsigned int 1, unsigned int 0) line 654 + 26
bytes
js_Interpret(JSContext * 0x0ab55100, long * 0x0012e988) line 2228 + 15 bytes
js_Invoke(JSContext * 0x0ab55100, unsigned int 0, unsigned int 0) line 670 + 13
bytes
js_Interpret(JSContext * 0x0ab55100, long * 0x0012f170) line 2228 + 15 bytes
js_Invoke(JSContext * 0x0ab55100, unsigned int 0, unsigned int 0) line 670 + 13
bytes
js_Interpret(JSContext * 0x0ab55100, long * 0x0012f958) line 2228 + 15 bytes
js_Invoke(JSContext * 0x0ab55100, unsigned int 1, unsigned int 2) line 670 + 13
bytes
js_InternalCall(JSContext * 0x0ab55100, JSObject * 0x011b8040, long 18521208,
unsigned int 1, long * 0x0012fa98, long * 0x0012faa0) line 747 + 15 bytes
JS_CallFunctionValue(JSContext * 0x0ab55100, JSObject * 0x011b8040, long
18521208, unsigned int 1, long * 0x0012fa98, long * 0x0012faa0) line 2643 + 29
bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x0ad1cab0) line 97 + 34 bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012fcd8, nsIDOMEvent * * 0x0012fbd4, unsigned int 3, nsEventStatus &
nsEventStatus_eIgnore) line 971 + 21 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x0ab559d4,
nsIPresContext & {...}, nsEvent * 0x0012fcd8, nsIDOMEvent * * 0x0012fbd4,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 2808
nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x0abfe294, nsIDocumentLoader *
0x0abfedf0, nsIChannel * 0x0a9a94b0, unsigned int 0, nsIDocumentLoaderObserver *
0x0abfe294) line 3285 + 34 bytes
nsDocLoaderImpl::FireOnEndDocumentLoad(nsIDocumentLoader * 0x0abfedf0, unsigned
int 0) line 1126
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x0abfedf4, nsIChannel *
0x0ac3c070, nsISupports * 0x00000000, unsigned int 0, const unsigned short *
0x00000000) line 1033

Comment 1

[buster]

*** Bug 11584 has been marked as a duplicate of this bug. ***

Comment 2

[Simon Fraser [no longer active]]

*** Bug 12416 has been marked as a duplicate of this bug. ***

Comment 3

[Charles Manske]

Returning a null selectedElement is OK, I just needed to check for null before
doing the AddRef.
Checked in 8/31

Comment 4

[sujay]

verified in 9/3 build.