[tbb-commits] [tor-browser/tor-browser-31.7.0esr-4.5-2] fixup! Bug 12827: Create preference to disable SVG.
mikeperry at torproject.org
mikeperry at torproject.org
Thu Jun 25 01:29:48 UTC 2015
commit 612ae46e1344327c495cec13fd756807c22ff826
Author: Kathy Brade <brade at pearlcrescent.com>
Date: Thu Jun 18 13:38:35 2015 -0400
fixup! Bug 12827: Create preference to disable SVG.
If an <object> is used to load an SVG from a .xml file, avoid
dereferencing null pointers when script elements are created as
generic elements (i.e., when svg.in-content.enabled=false).
Fixes ticket #16397.
---
content/xml/document/src/nsXMLContentSink.cpp | 12 +++++++++---
content/xml/document/src/nsXMLFragmentContentSink.cpp | 4 ++--
dom/xslt/xslt/txMozillaXMLOutput.cpp | 15 ++++++++-------
parser/html/nsHtml5TreeOpExecutor.cpp | 2 ++
4 files changed, 21 insertions(+), 12 deletions(-)
diff --git a/content/xml/document/src/nsXMLContentSink.cpp b/content/xml/document/src/nsXMLContentSink.cpp
index 104d80a..57ee45a 100644
--- a/content/xml/document/src/nsXMLContentSink.cpp
+++ b/content/xml/document/src/nsXMLContentSink.cpp
@@ -471,8 +471,10 @@ nsXMLContentSink::CreateElement(const char16_t** aAtts, uint32_t aAttsCount,
|| aNodeInfo->Equals(nsGkAtoms::script, kNameSpaceID_SVG)
) {
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(content);
- sele->SetScriptLineNumber(aLineNumber);
- sele->SetCreatorParser(GetParser());
+ if (sele) {
+ sele->SetScriptLineNumber(aLineNumber);
+ sele->SetCreatorParser(GetParser());
+ }
mConstrainSize = false;
}
@@ -554,13 +556,17 @@ nsXMLContentSink::CloseElement(nsIContent* aContent)
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);
if (mPreventScriptExecution) {
- sele->PreventExecution();
+ if (sele)
+ sele->PreventExecution();
return NS_OK;
}
// Always check the clock in nsContentSink right after a script
StopDeflecting();
+ if (!sele)
+ return NS_OK;
+
// Now tell the script that it's ready to go. This may execute the script
// or return true, or neither if the script doesn't need executing.
bool block = sele->AttemptToExecute();
diff --git a/content/xml/document/src/nsXMLFragmentContentSink.cpp b/content/xml/document/src/nsXMLFragmentContentSink.cpp
index 738a769..29dd1a3 100644
--- a/content/xml/document/src/nsXMLFragmentContentSink.cpp
+++ b/content/xml/document/src/nsXMLFragmentContentSink.cpp
@@ -229,8 +229,8 @@ nsXMLFragmentContentSink::CloseElement(nsIContent* aContent)
if (mPreventScriptExecution && aContent->Tag() == nsGkAtoms::script &&
(aContent->IsHTML() || aContent->IsSVG())) {
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);
- NS_ASSERTION(sele, "script did QI correctly!");
- sele->PreventExecution();
+ if (sele)
+ sele->PreventExecution();
}
return NS_OK;
}
diff --git a/dom/xslt/xslt/txMozillaXMLOutput.cpp b/dom/xslt/xslt/txMozillaXMLOutput.cpp
index 6b95345..45b8579 100644
--- a/dom/xslt/xslt/txMozillaXMLOutput.cpp
+++ b/dom/xslt/xslt/txMozillaXMLOutput.cpp
@@ -299,13 +299,14 @@ txMozillaXMLOutput::endElement()
} else if ((ns == kNameSpaceID_XHTML || ns == kNameSpaceID_SVG) &&
localName == nsGkAtoms::script) {
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(element);
- NS_ABORT_IF_FALSE(sele, "script elements need to implement nsIScriptElement");
- bool block = sele->AttemptToExecute();
- // If the act of insertion evaluated the script, we're fine.
- // Else, add this script element to the array of loading scripts.
- if (block) {
- rv = mNotifier->AddScriptElement(sele);
- NS_ENSURE_SUCCESS(rv, rv);
+ if (sele) {
+ bool block = sele->AttemptToExecute();
+ // If the act of insertion evaluated the script, we're fine.
+ // Else, add this script element to the array of loading scripts.
+ if (block) {
+ rv = mNotifier->AddScriptElement(sele);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
}
} else if (ns == kNameSpaceID_XHTML &&
(localName == nsGkAtoms::input ||
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp
index 6c52e5f..fb377bd 100644
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -636,6 +636,8 @@ nsHtml5TreeOpExecutor::RunScript(nsIContent* aScriptElement)
NS_ASSERTION(aScriptElement, "No script to run");
nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aScriptElement);
+ if (!sele)
+ return;
if (!mParser) {
NS_ASSERTION(sele->IsMalformed(), "Script wasn't marked as malformed.");
More information about the tbb-commits
mailing list