From dc2243899ad12323de0542db30cabc272a8a8c24 Mon Sep 17 00:00:00 2001
From: Olli Pettay <Olli.Pettay@helsinki.fi>
Date: Mon, 18 Feb 2013 18:32:32 +0200
Subject: [PATCH] Bug 842132 - Crash with contentEditable,
 selection.deleteFromDocument with overlapping selection ranges, r=tbsaunde

---
 editor/libeditor/base/nsEditor.cpp        |  3 +--
 layout/generic/crashtests/842132-1.html   | 27 +++++++++++++++++++++++
 layout/generic/crashtests/crashtests.list |  1 +
 layout/generic/nsSelection.cpp            |  6 ++---
 4 files changed, 32 insertions(+), 5 deletions(-)
 create mode 100644 layout/generic/crashtests/842132-1.html

diff --git a/editor/libeditor/base/nsEditor.cpp b/editor/libeditor/base/nsEditor.cpp
index 2c90b521fc2..7542fb497e4 100644
--- a/editor/libeditor/base/nsEditor.cpp
+++ b/editor/libeditor/base/nsEditor.cpp
@@ -4566,8 +4566,7 @@ nsEditor::CreateTxnForDeleteSelection(EDirection aAction,
   // allocate the out-param transaction
   nsRefPtr<EditAggregateTxn> aggTxn = new EditAggregateTxn();
 
-  uint32_t rangeCount = selection->GetRangeCount();
-  for (uint32_t rangeIdx = 0; rangeIdx < rangeCount; ++rangeIdx) {
+  for (int32_t rangeIdx = 0; rangeIdx < selection->GetRangeCount(); ++rangeIdx) {
     nsRefPtr<nsRange> range = selection->GetRangeAt(rangeIdx);
     NS_ENSURE_STATE(range);
 
diff --git a/layout/generic/crashtests/842132-1.html b/layout/generic/crashtests/842132-1.html
new file mode 100644
index 00000000000..7b20dba926d
--- /dev/null
+++ b/layout/generic/crashtests/842132-1.html
@@ -0,0 +1,27 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script>
+
+function boom()
+{
+  var e = document.body;
+  var sel = window.getSelection();
+
+  window.getSelection().removeAllRanges();
+  var r0 = document.createRange();
+  r0.setStart(e, 0);
+  r0.setEnd(e, 1);
+  window.getSelection().addRange(r0);
+  var r1 = document.createRange();
+  r1.setStart(e, 1);
+  r1.setEnd(e, 1);
+  window.getSelection().addRange(r1);
+
+  window.getSelection().deleteFromDocument();
+}
+
+</script>
+</head>
+
+<body onload="boom();" contenteditable="true">x</body>
+</html>
diff --git a/layout/generic/crashtests/crashtests.list b/layout/generic/crashtests/crashtests.list
index 91adce578d7..5c031be97d0 100644
--- a/layout/generic/crashtests/crashtests.list
+++ b/layout/generic/crashtests/crashtests.list
@@ -428,3 +428,4 @@ test-pref(layout.css.flexbox.enabled,true) load 798235-1.html
 test-pref(layout.css.flexbox.enabled,true) load 799207-1.html
 asserts(12) test-pref(layout.css.flexbox.enabled,true) load 799207-2.html
 test-pref(layout.css.flexbox.enabled,true) load 804089-1.xhtml
+load 842132-1.html
diff --git a/layout/generic/nsSelection.cpp b/layout/generic/nsSelection.cpp
index 60d672b4259..def52646716 100644
--- a/layout/generic/nsSelection.cpp
+++ b/layout/generic/nsSelection.cpp
@@ -2930,9 +2930,9 @@ nsFrameSelection::DeleteFromDocument()
     return NS_OK;
   }
 
-  uint32_t rangeCount = mDomSelections[index]->GetRangeCount();
-  for (uint32_t rangeIdx = 0; rangeIdx < rangeCount; ++rangeIdx) {
-    nsRefPtr<nsRange> range = mDomSelections[index]->GetRangeAt(rangeIdx);
+  nsRefPtr<mozilla::Selection> selection = mDomSelections[index];
+  for (int32_t rangeIdx = 0; rangeIdx < selection->GetRangeCount(); ++rangeIdx) {
+    nsRefPtr<nsRange> range = selection->GetRangeAt(rangeIdx);
     res = range->DeleteContents();
     if (NS_FAILED(res))
       return res;