Created attachment 282056 [details] testcase (crashes Firefox when loaded) Loading the testcase crashes Firefox.
The frame constructor checks for a tag name "listboxbody" without checking for a XUL namespace: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1402#5959 Is that the only problem, or would there still be a way to crash if that were fixed?
That would still be a problem. You could have "naked" XUL listboxbody like this and it would crash. You could stick it in a grid with unscrollable overflow, and it would crash. Etc, etc. nsListBoxBodyFrame::GetAvailableHeight needs to null-check the return value of nsLayoutUtils::GetScrollableFrameFor like the other callers in that file, imo.
Created attachment 282096 [details] [diff] [review] null check scrollFrame Like this. Handling namespaces properly in CSSFC is a different bug. I noticed there are several cases where namespace should be checked but it isn't.
Attachment #282096 - Flags: approval1.9?
Attachment #282096 - Flags: approval1.9? → approval1.9+
Assignee: nobody → Olli.Pettay
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Crashtest checked in.
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ nsListBoxBodyFrame::GetAvailableHeight]
You need to log in before you can comment on or make changes to this bug.