Closed Bug 1254975 Opened 9 years ago Closed 9 years ago

NULL pointer crash in nsEditor::IsTextNode

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Version:
47 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1317718

People

(Reporter: abbGZcvu_bugzilla.mozilla.org, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: btpp-fixlater)

Attachments

(1 file)

repro.html
232 bytes, text/html
Details
Attached file repro.html
Javascript can cause a NULL pointer dereference crash in editing code. Repro.html: <script> onload = function () { document.documentElement.contentEditable = 'true'; document.removeChild(document.documentElement); document.designMode = 'on'; document.execCommand('indent'); }; </script> Relevant code: https://dxr.mozilla.org/mozilla-central/source/editor/libeditor/nsHTMLEditRules.cpp#5781 for (int32_t i = 0; i < rangeCount; i++) { RefPtr<nsRange> r = aArrayOfRanges[i]; nsCOMPtr<nsIContent> endParent = do_QueryInterface(r->GetEndParent()); if (!mHTMLEditor->IsTextNode(endParent)) { => endParent is NULL https://dxr.mozilla.org/mozilla-central/source/editor/libeditor/nsEditor.cpp#3628 bool nsEditor::IsTextNode(nsINode *aNode) { return aNode->NodeType() == nsIDOMNode::TEXT_NODE; => aNode is NULL. There is a reference to passing a NULL pointer to this function in bug 671152 as well, but otherwise it appears unrelated.
The Editor module is unfortunately rather unowned ATM. We're working on fixing the situation and will follow up when we have news.
Whiteboard: btpp-fixlater
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: