wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 842132 - Crash with contentEditable, selection.deleteFromDocument with overlapping selection ranges, r=tbsaunde

Browse Source
This commit is contained in:
Olli Pettay 2013-02-18 18:32:32 +02:00
parent 10bb153b4f
commit dc2243899a
4 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
editor/libeditor/base/nsEditor.cpp
View File

@ -4566,8 +4566,7 @@ nsEditor::CreateTxnForDeleteSelection(EDirection aAction,
// allocate the out-param transaction
nsRefPtr<EditAggregateTxn> aggTxn = new EditAggregateTxn();
uint32_t rangeCount = selection->GetRangeCount();
for (uint32_t rangeIdx = 0; rangeIdx < rangeCount; ++rangeIdx) {
for (int32_t rangeIdx = 0; rangeIdx < selection->GetRangeCount(); ++rangeIdx) {
nsRefPtr<nsRange> range = selection->GetRangeAt(rangeIdx);
NS_ENSURE_STATE(range);

27
layout/generic/crashtests/842132-1.html Normal file
View File

@ -0,0 +1,27 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>
function boom()
{
var e = document.body;
var sel = window.getSelection();
window.getSelection().removeAllRanges();
var r0 = document.createRange();
r0.setStart(e, 0);
r0.setEnd(e, 1);
window.getSelection().addRange(r0);
var r1 = document.createRange();
r1.setStart(e, 1);
r1.setEnd(e, 1);
window.getSelection().addRange(r1);
window.getSelection().deleteFromDocument();
}
</script>
</head>
<body onload="boom();" contenteditable="true">x</body>
</html>

1
layout/generic/crashtests/crashtests.list
View File

@ -428,3 +428,4 @@ test-pref(layout.css.flexbox.enabled,true) load 798235-1.html
test-pref(layout.css.flexbox.enabled,true) load 799207-1.html
asserts(12) test-pref(layout.css.flexbox.enabled,true) load 799207-2.html
test-pref(layout.css.flexbox.enabled,true) load 804089-1.xhtml
load 842132-1.html

6
layout/generic/nsSelection.cpp
View File

@ -2930,9 +2930,9 @@ nsFrameSelection::DeleteFromDocument()
return NS_OK;
}
uint32_t rangeCount = mDomSelections[index]->GetRangeCount();
for (uint32_t rangeIdx = 0; rangeIdx < rangeCount; ++rangeIdx) {
nsRefPtr<nsRange> range = mDomSelections[index]->GetRangeAt(rangeIdx);
nsRefPtr<mozilla::Selection> selection = mDomSelections[index];
for (int32_t rangeIdx = 0; rangeIdx < selection->GetRangeCount(); ++rangeIdx) {
nsRefPtr<nsRange> range = selection->GetRangeAt(rangeIdx);
res = range->DeleteContents();
if (NS_FAILED(res))
return res;