[tbb-commits] [tor-browser/tor-browser-38.1.0esr-5.x-1] fixup! Bug 12827: Create preference to disable SVG.

mikeperry at torproject.org mikeperry at torproject.org
Thu Jun 25 22:12:56 UTC 2015 

commit 455a21820dff054fb8bde1417f3d0a289917d932
Author: Kathy Brade <brade at pearlcrescent.com>
Date:   Thu Jun 25 12:06:54 2015 -0400

    fixup! Bug 12827: Create preference to disable SVG.
    
    If an <object> is used to load an SVG from a .xml file, avoid
    dereferencing null pointers when script elements are created as
    generic elements (i.e., when svg.in-content.enabled=false).
    Fixes ticket #16397.
---
 dom/xml/nsXMLContentSink.cpp          |   12 +++++++++---
 dom/xml/nsXMLFragmentContentSink.cpp  |    4 ++--
 dom/xslt/xslt/txMozillaXMLOutput.cpp  |   15 ++++++++-------
 parser/html/nsHtml5TreeOpExecutor.cpp |    2 ++
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/dom/xml/nsXMLContentSink.cpp b/dom/xml/nsXMLContentSink.cpp
index cb360a1..3a512e2 100644
--- a/dom/xml/nsXMLContentSink.cpp
+++ b/dom/xml/nsXMLContentSink.cpp
@@ -473,8 +473,10 @@ nsXMLContentSink::CreateElement(const char16_t** aAtts, uint32_t aAttsCount,
       || aNodeInfo->Equals(nsGkAtoms::script, kNameSpaceID_SVG)
     ) {
     nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(content);
-    sele->SetScriptLineNumber(aLineNumber);
-    sele->SetCreatorParser(GetParser());
+    if (sele) {
+      sele->SetScriptLineNumber(aLineNumber);
+      sele->SetCreatorParser(GetParser());
+    }
     mConstrainSize = false;
   }
 
@@ -556,13 +558,17 @@ nsXMLContentSink::CloseElement(nsIContent* aContent)
     nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);
 
     if (mPreventScriptExecution) {
-      sele->PreventExecution();
+      if (sele)
+        sele->PreventExecution();
       return NS_OK;
     }
 
     // Always check the clock in nsContentSink right after a script
     StopDeflecting();
 
+    if (!sele)
+      return NS_OK;
+
     // Now tell the script that it's ready to go. This may execute the script
     // or return true, or neither if the script doesn't need executing.
     bool block = sele->AttemptToExecute();
diff --git a/dom/xml/nsXMLFragmentContentSink.cpp b/dom/xml/nsXMLFragmentContentSink.cpp
index 7fce46b..b3d25e9 100644
--- a/dom/xml/nsXMLFragmentContentSink.cpp
+++ b/dom/xml/nsXMLFragmentContentSink.cpp
@@ -230,8 +230,8 @@ nsXMLFragmentContentSink::CloseElement(nsIContent* aContent)
   if (mPreventScriptExecution && aContent->Tag() == nsGkAtoms::script &&
       (aContent->IsHTML() || aContent->IsSVG())) {
     nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);
-    NS_ASSERTION(sele, "script did QI correctly!");
-    sele->PreventExecution();
+    if (sele)
+      sele->PreventExecution();
   }
   return NS_OK;
 }
diff --git a/dom/xslt/xslt/txMozillaXMLOutput.cpp b/dom/xslt/xslt/txMozillaXMLOutput.cpp
index d72910e..b4c0098 100644
--- a/dom/xslt/xslt/txMozillaXMLOutput.cpp
+++ b/dom/xslt/xslt/txMozillaXMLOutput.cpp
@@ -300,13 +300,14 @@ txMozillaXMLOutput::endElement()
         } else if ((ns == kNameSpaceID_XHTML || ns == kNameSpaceID_SVG) &&
                    localName == nsGkAtoms::script) {
             nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(element);
-            MOZ_ASSERT(sele, "script elements need to implement nsIScriptElement");
-            bool block = sele->AttemptToExecute();
-            // If the act of insertion evaluated the script, we're fine.
-            // Else, add this script element to the array of loading scripts.
-            if (block) {
-                rv = mNotifier->AddScriptElement(sele);
-                NS_ENSURE_SUCCESS(rv, rv);
+            if (sele) {
+                bool block = sele->AttemptToExecute();
+                // If the act of insertion evaluated the script, we're fine.
+                // Else, add this script element to the array of loading scripts.
+                if (block) {
+                    rv = mNotifier->AddScriptElement(sele);
+                    NS_ENSURE_SUCCESS(rv, rv);
+                }
             }
         } else if (ns == kNameSpaceID_XHTML &&
                    (localName == nsGkAtoms::input ||
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp
index 6c424c8..ecb238e 100644
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -636,6 +636,8 @@ nsHtml5TreeOpExecutor::RunScript(nsIContent* aScriptElement)
 
   NS_ASSERTION(aScriptElement, "No script to run");
   nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aScriptElement);
+  if (!sele)
+    return;
   
   if (!mParser) {
     NS_ASSERTION(sele->IsMalformed(), "Script wasn't marked as malformed.");

More information about the tbb-commits mailing list