[tor-browser/tor-browser-31.7.0esr-4.5-2] fixup! Bug 12827: Create preference to disable SVG. - tbb-commits

25 Jun 2015

commit 612ae46e1344327c495cec13fd756807c22ff826
Author: Kathy Brade brade@pearlcrescent.com
Date:   Thu Jun 18 13:38:35 2015 -0400
fixup! Bug 12827: Create preference to disable SVG.
If an <object> is used to load an SVG from a .xml file, avoid
    dereferencing null pointers when script elements are created as
    generic elements (i.e., when svg.in-content.enabled=false).
    Fixes ticket #16397.
---
 content/xml/document/src/nsXMLContentSink.cpp         |   12 +++++++++---
 content/xml/document/src/nsXMLFragmentContentSink.cpp |    4 ++--
 dom/xslt/xslt/txMozillaXMLOutput.cpp                  |   15 ++++++++-------
 parser/html/nsHtml5TreeOpExecutor.cpp                 |    2 ++
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/content/xml/document/src/nsXMLContentSink.cpp b/content/xml/document/src/nsXMLContentSink.cpp
index 104d80a..57ee45a 100644
--- a/content/xml/document/src/nsXMLContentSink.cpp
+++ b/content/xml/document/src/nsXMLContentSink.cpp
@@ -471,8 +471,10 @@ nsXMLContentSink::CreateElement(const char16_t** aAtts, uint32_t aAttsCount,
       || aNodeInfo->Equals(nsGkAtoms::script, kNameSpaceID_SVG)
     ) {
     nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(content);
-    sele->SetScriptLineNumber(aLineNumber);
-    sele->SetCreatorParser(GetParser());
+    if (sele) {
+      sele->SetScriptLineNumber(aLineNumber);
+      sele->SetCreatorParser(GetParser());
+    }
     mConstrainSize = false;
   }
@@ -554,13 +556,17 @@ nsXMLContentSink::CloseElement(nsIContent* aContent)
     nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);
if (mPreventScriptExecution) {
-      sele->PreventExecution();
+      if (sele)
+        sele->PreventExecution();
       return NS_OK;
     }
// Always check the clock in nsContentSink right after a script
     StopDeflecting();
+    if (!sele)
+      return NS_OK;
+
     // Now tell the script that it's ready to go. This may execute the script
     // or return true, or neither if the script doesn't need executing.
     bool block = sele->AttemptToExecute();
diff --git a/content/xml/document/src/nsXMLFragmentContentSink.cpp b/content/xml/document/src/nsXMLFragmentContentSink.cpp
index 738a769..29dd1a3 100644
--- a/content/xml/document/src/nsXMLFragmentContentSink.cpp
+++ b/content/xml/document/src/nsXMLFragmentContentSink.cpp
@@ -229,8 +229,8 @@ nsXMLFragmentContentSink::CloseElement(nsIContent* aContent)
   if (mPreventScriptExecution && aContent->Tag() == nsGkAtoms::script &&
       (aContent->IsHTML() || aContent->IsSVG())) {
     nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);
-    NS_ASSERTION(sele, "script did QI correctly!");
-    sele->PreventExecution();
+    if (sele)
+      sele->PreventExecution();
   }
   return NS_OK;
 }
diff --git a/dom/xslt/xslt/txMozillaXMLOutput.cpp b/dom/xslt/xslt/txMozillaXMLOutput.cpp
index 6b95345..45b8579 100644
--- a/dom/xslt/xslt/txMozillaXMLOutput.cpp
+++ b/dom/xslt/xslt/txMozillaXMLOutput.cpp
@@ -299,13 +299,14 @@ txMozillaXMLOutput::endElement()
         } else if ((ns == kNameSpaceID_XHTML || ns == kNameSpaceID_SVG) &&
                    localName == nsGkAtoms::script) {
             nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(element);
-            NS_ABORT_IF_FALSE(sele, "script elements need to implement nsIScriptElement");
-            bool block = sele->AttemptToExecute();
-            // If the act of insertion evaluated the script, we're fine.
-            // Else, add this script element to the array of loading scripts.
-            if (block) {
-                rv = mNotifier->AddScriptElement(sele);
-                NS_ENSURE_SUCCESS(rv, rv);
+            if (sele) {
+                bool block = sele->AttemptToExecute();
+                // If the act of insertion evaluated the script, we're fine.
+                // Else, add this script element to the array of loading scripts.
+                if (block) {
+                    rv = mNotifier->AddScriptElement(sele);
+                    NS_ENSURE_SUCCESS(rv, rv);
+                }
             }
         } else if (ns == kNameSpaceID_XHTML &&
                    (localName == nsGkAtoms::input ||
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp
index 6c52e5f..fb377bd 100644
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -636,6 +636,8 @@ nsHtml5TreeOpExecutor::RunScript(nsIContent* aScriptElement)
NS_ASSERTION(aScriptElement, "No script to run");
   nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aScriptElement);
+  if (!sele)
+    return;
if (!mParser) {
     NS_ASSERTION(sele->IsMalformed(), "Script wasn't marked as malformed.");

    