ExecCommand with insertHTML crashes @ nsHTMLEditRules.cpp:2318

RESOLVED WORKSFORME

Status

()

Core
Editor
--
critical
RESOLVED WORKSFORME
11 years ago
9 years ago

People

(Reporter: Paul Nickerson, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

1.8 Branch
x86
Linux
crash, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse?] null deref)

(Reporter)

Description

11 years ago
Created attachment 266111 [details]
testcase - put fuzz.js in same directory

backtrace

#0  0xb390f757 in nsHTMLEditRules::WillDeleteSelection (this=0xb0e5ce78, 
    aSelection=0xb0e33f20, aAction=0, aCancel=0xbfea8f00, aHandled=0xbfea8efc)
    at nsHTMLEditRules.cpp:2318
#1  0xb3910bf8 in nsHTMLEditRules::WillDoAction (this=0xb0e5ce78, 
    aSelection=0xb0e33f20, aInfo=0xbfea8eb0, aCancel=0xbfea8f00, aHandled=0x0)
    at nsHTMLEditRules.cpp:601
#2  0xb3937544 in nsPlaintextEditor::DeleteSelection (this=0xb115b610, 
    aAction=0) at nsPlaintextEditor.cpp:688
#3  0xb3947246 in nsEditor::DeleteSelectionAndPrepareToCreateNode (
    this=0xb115b610, parentSelectedNode=@0xbfea92d4, 
    offsetOfNewNode=@0xbfea92d0) at nsEditor.cpp:4878
#4  0xb38d85b8 in nsHTMLEditor::InsertHTMLWithContext (this=0xb115b610, 
    aInputString=@0xbfea9384, aContextStr=@0xb7f23f98, aInfoStr=@0xb7f23f98, 
    aFlavor=@0xb7f23f98, aSourceDoc=0x0, aDestNode=0x0, aDestOffset=0, 
    aDeleteSelection=1) at nsHTMLDataTransfer.cpp:428
#5  0xb38d0a5d in nsHTMLEditor::InsertHTML (this=0xb115b610, 
    aInString=@0xbfea9384) at nsHTMLDataTransfer.cpp:256
#6  0xb389e5c5 in nsInsertHTMLCommand::DoCommandParams (this=0xb11d8610, 
    aCommandName=0xbfea95cc "cmd_insertHTML", aParams=0xb1156f18, 
    refCon=0xb115b610) at nsComposerCommands.cpp:1472
#7  0xb67b3eea in nsControllerCommandTable::DoCommandParams (this=0xb11a8270, 
    aCommandName=0xbfea95cc "cmd_insertHTML", aParams=0xb1156f18, 
    aCommandRefCon=0xb115b610) at nsControllerCommandTable.cpp:208


source

      if (IsBlockNode(endNode))
        rightParent = endNode;
      else
        rightParent = mHTMLEditor->GetBlockNodeParent(endNode);
        
      // are endpoint block parents the same?  use default deletion
      if (leftParent == rightParent) 
      {
        res = mHTMLEditor->DeleteSelectionImpl(aAction);
      }
      else
      {
        // deleting across blocks
        // are the blocks of same type?
        
        // are the blocks siblings?
        nsCOMPtr<nsIDOMNode> leftBlockParent;
        nsCOMPtr<nsIDOMNode> rightBlockParent;
        leftParent->GetParentNode(getter_AddRefs(leftBlockParent));
        rightParent->GetParentNode(getter_AddRefs(rightBlockParent));    <--- crashes here

        // MOOSE: this could conceivably screw up a table.. fix me.
        if (   (leftBlockParent == rightBlockParent)
            && (mHTMLEditor->NodesSameType(leftParent, rightParent))  )
(Reporter)

Updated

11 years ago
Keywords: crash, testcase
(Reporter)

Comment 1

11 years ago
Created attachment 266124 [details]
fuzz.js

Comment 2

11 years ago
Any chance to have a minimal testcase.
rightParent is a nsCOMPtr<nsIDOMNode> and it seems to be null, so this
doesn't have to be Security-Sensitive, right?
Component: Layout → Editor
QA Contact: layout → editor
Whiteboard: [sg:nse?] null deref

Updated

11 years ago
Blocks: 336383

Comment 4

9 years ago
WFM on mozilla-central.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite-
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.