Closed
Bug 149320
Opened 22 years ago
Closed 22 years ago
crash if invalid setStart is set on a Range
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
RESOLVED
FIXED
M1
People
(Reporter: mail, Assigned: mozeditor)
References
Details
(Keywords: crash, testcase, Whiteboard: fixinhand, has r= and sr=)
Attachments
(3 files, 1 obsolete file)
394 bytes,
text/html
|
Details | |
553 bytes,
text/html
|
Details | |
4.57 KB,
patch
|
glazou
:
review+
kinmoz
:
superreview+
|
Details | Diff | Splinter Review |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523 BuildID: 2002052306 setStart to an invalid offset for a Range. Alert or appending of textNode of Range causes crash. Reproducible: Always Steps to Reproduce: 1. createRange 2. setStart to invalid offset Actual Results: crash Expected Results: error
Reporter | ||
Comment 1•22 years ago
|
||
Reporter | ||
Comment 2•22 years ago
|
||
Added try-catch to testcase. Should catch an INDEX_SIZE_ERR exception rather than crashing.
Comment 3•22 years ago
|
||
With 2002060408/trunk/W2K using 1st testcase -> crash, TB7054045Q
I add some condition to avoid crash for nil point, I think this patch can match the reporter's need.
Before checking in any content iterator changes, or getting a super review, I would get a review from jfrancis@netscape.com who wrote it. That said, I believe there is an implicit assumption by the content iterator and all backend users of range (like the editor) that the range will either be un-positioned or contain valid containers and offsets. I really think that we need to fix SetStart()/SetEnd()or the underlying DoSetRange() function to validate indexes and containers ... I'm actually quite surprised that it's not doing that already since the spec mentions specific situations to check for.
Assignee | ||
Comment 8•22 years ago
|
||
I agree with Kin. Lets fix this in the right place. Submitting patch soon.
Assignee: kin → jfrancis
Status: ASSIGNED → NEW
Assignee | ||
Comment 9•22 years ago
|
||
This fixes it, and generates the out-of-bounds error expected in the second testcase. Kin, can you sr?
Attachment #89879 -
Attachment is obsolete: true
Assignee | ||
Comment 10•22 years ago
|
||
The days of having a half dozen milestones out in front of us to divide bugs between seem to be gone, though I dont know why. Lumping everything together as far out as I can. I'll pull back things that I am working on as I go.
Target Milestone: mozilla1.1beta → mozilla1.2beta
Assignee | ||
Updated•22 years ago
|
Status: NEW → ASSIGNED
Whiteboard: fixinhand; need r=,sr=
Target Milestone: mozilla1.2beta → M1
Comment 11•22 years ago
|
||
Comment on attachment 91184 [details] [diff] [review] patch to content/base/nsRange.{h,cpp} sr=kin@netscape.com
Attachment #91184 -
Flags: superreview+
Comment on attachment 91184 [details] [diff] [review] patch to content/base/nsRange.{h,cpp} One comment only : DOM Comments are also CharacterData so I would prefer to see them appear in the main 'if' case of GetNodeLength()... Just in case we decide some day in the future to allow visibility of XML comments. r=glazman
Attachment #91184 -
Flags: review+
Updated•22 years ago
|
Whiteboard: fixinhand; need r=,sr= → fixinhand, has r= and sr=
Assignee | ||
Comment 13•22 years ago
|
||
fix landed on trunk
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 14•15 years ago
|
||
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Updated•11 years ago
|
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•