Closed Bug 397304 Opened 16 years ago Closed 16 years ago
Crash [@ ns
List Box Body Frame::Get Available Height] with fake listboxbody
Loading the testcase crashes Firefox.
The frame constructor checks for a tag name "listboxbody" without checking for a XUL namespace: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/base/nsCSSFrameConstructor.cpp&rev=1.1402#5959 Is that the only problem, or would there still be a way to crash if that were fixed?
That would still be a problem. You could have "naked" XUL listboxbody like this and it would crash. You could stick it in a grid with unscrollable overflow, and it would crash. Etc, etc. nsListBoxBodyFrame::GetAvailableHeight needs to null-check the return value of nsLayoutUtils::GetScrollableFrameFor like the other callers in that file, imo.
Like this. Handling namespaces properly in CSSFC is a different bug. I noticed there are several cases where namespace should be checked but it isn't.
Attachment #282096 - Flags: approval1.9?
Attachment #282096 - Flags: approval1.9? → approval1.9+
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Crashtest checked in.
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ nsListBoxBodyFrame::GetAvailableHeight]
You need to log in before you can comment on or make changes to this bug.