Closed
Bug 382046
Opened 17 years ago
Closed 15 years ago
ExecCommand with insertHTML crashes @ nsHTMLEditRules.cpp:2318
Categories
(Core :: DOM: Editor, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: pvnick, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:nse?] null deref)
backtrace #0 0xb390f757 in nsHTMLEditRules::WillDeleteSelection (this=0xb0e5ce78, aSelection=0xb0e33f20, aAction=0, aCancel=0xbfea8f00, aHandled=0xbfea8efc) at nsHTMLEditRules.cpp:2318 #1 0xb3910bf8 in nsHTMLEditRules::WillDoAction (this=0xb0e5ce78, aSelection=0xb0e33f20, aInfo=0xbfea8eb0, aCancel=0xbfea8f00, aHandled=0x0) at nsHTMLEditRules.cpp:601 #2 0xb3937544 in nsPlaintextEditor::DeleteSelection (this=0xb115b610, aAction=0) at nsPlaintextEditor.cpp:688 #3 0xb3947246 in nsEditor::DeleteSelectionAndPrepareToCreateNode ( this=0xb115b610, parentSelectedNode=@0xbfea92d4, offsetOfNewNode=@0xbfea92d0) at nsEditor.cpp:4878 #4 0xb38d85b8 in nsHTMLEditor::InsertHTMLWithContext (this=0xb115b610, aInputString=@0xbfea9384, aContextStr=@0xb7f23f98, aInfoStr=@0xb7f23f98, aFlavor=@0xb7f23f98, aSourceDoc=0x0, aDestNode=0x0, aDestOffset=0, aDeleteSelection=1) at nsHTMLDataTransfer.cpp:428 #5 0xb38d0a5d in nsHTMLEditor::InsertHTML (this=0xb115b610, aInString=@0xbfea9384) at nsHTMLDataTransfer.cpp:256 #6 0xb389e5c5 in nsInsertHTMLCommand::DoCommandParams (this=0xb11d8610, aCommandName=0xbfea95cc "cmd_insertHTML", aParams=0xb1156f18, refCon=0xb115b610) at nsComposerCommands.cpp:1472 #7 0xb67b3eea in nsControllerCommandTable::DoCommandParams (this=0xb11a8270, aCommandName=0xbfea95cc "cmd_insertHTML", aParams=0xb1156f18, aCommandRefCon=0xb115b610) at nsControllerCommandTable.cpp:208 source if (IsBlockNode(endNode)) rightParent = endNode; else rightParent = mHTMLEditor->GetBlockNodeParent(endNode); // are endpoint block parents the same? use default deletion if (leftParent == rightParent) { res = mHTMLEditor->DeleteSelectionImpl(aAction); } else { // deleting across blocks // are the blocks of same type? // are the blocks siblings? nsCOMPtr<nsIDOMNode> leftBlockParent; nsCOMPtr<nsIDOMNode> rightBlockParent; leftParent->GetParentNode(getter_AddRefs(leftBlockParent)); rightParent->GetParentNode(getter_AddRefs(rightBlockParent)); <--- crashes here // MOOSE: this could conceivably screw up a table.. fix me. if ( (leftBlockParent == rightBlockParent) && (mHTMLEditor->NodesSameType(leftParent, rightParent)) )
Reporter | ||
Updated•17 years ago
|
Reporter | ||
Comment 1•17 years ago
|
||
Comment 2•17 years ago
|
||
Any chance to have a minimal testcase. rightParent is a nsCOMPtr<nsIDOMNode> and it seems to be null, so this doesn't have to be Security-Sensitive, right?
Component: Layout → Editor
QA Contact: layout → editor
Comment 3•17 years ago
|
||
This seems to have regressed on branch somehow between 2006-07-28 and 2006-07-30: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-07-28+04&maxdate=2006-07-30+10&cvsroot=%2Fcvsroot
Updated•17 years ago
|
Whiteboard: [sg:nse?] null deref
Comment 4•15 years ago
|
||
WFM on mozilla-central.
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite-
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•