766181 - Need an extra null check for aOutIndex in Selection::AddItem

Status: RESOLVED FIXED

(Core :: DOM: Selection, defect)

Description

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

Need a null-check at <http://hg.mozilla.org/mozilla-central/annotate/d29af708ec3c/layout/generic/nsSelection.cpp#l3559>.

Comment 1

[Graeme McCutcheon [:graememcc]]

Attachment: Trivial fix

Trivial fix.

I fear this wasn't the cause of the crashes Boris was hitting. I tried to work backwards with the aim of creating a crashtest. To hit this line requires the existing selection to be non-empty, and the given range to overlap it in some way. However, the only caller of AddItem without an initialised aOutIndex is Selection::Collapse, which explicitly empties the selection before calling AddItem.

Comment 2

[Robert O'Callahan (:roc) (email my personal email if necessary)]

How about just making all callers pass something for aOutIndex? I think that's the way to go here.

Comment 3

[Graeme McCutcheon [:graememcc]]

Attachment: v2

Comment 4

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 639349 [details] [diff] [review]
v2

Review of attachment 639349 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/generic/nsSelection.cpp
@@ +3459,1 @@
>      return NS_ERROR_NULL_POINTER;

Don't check aOutIndex here. Just add NS_ASSERTION(aOutIndex, "aOutIndex can't be null").

Comment 5

[Graeme McCutcheon [:graememcc]]

Attachment: v3

I forgot I still owed you a patch here.

Comment 6

[Graeme McCutcheon [:graememcc]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/8bf7fa20ea33

Comment 7

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/8bf7fa20ea33