commit 455a21820dff054fb8bde1417f3d0a289917d932 Author: Kathy Brade brade@pearlcrescent.com Date: Thu Jun 25 12:06:54 2015 -0400

fixup! Bug 12827: Create preference to disable SVG.

If an <object> is used to load an SVG from a .xml file, avoid dereferencing null pointers when script elements are created as generic elements (i.e., when svg.in-content.enabled=false). Fixes ticket #16397. --- dom/xml/nsXMLContentSink.cpp | 12 +++++++++--- dom/xml/nsXMLFragmentContentSink.cpp | 4 ++-- dom/xslt/xslt/txMozillaXMLOutput.cpp | 15 ++++++++------- parser/html/nsHtml5TreeOpExecutor.cpp | 2 ++ 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/dom/xml/nsXMLContentSink.cpp b/dom/xml/nsXMLContentSink.cpp index cb360a1..3a512e2 100644 --- a/dom/xml/nsXMLContentSink.cpp +++ b/dom/xml/nsXMLContentSink.cpp @@ -473,8 +473,10 @@ nsXMLContentSink::CreateElement(const char16_t** aAtts, uint32_t aAttsCount, || aNodeInfo->Equals(nsGkAtoms::script, kNameSpaceID_SVG) ) { nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(content); - sele->SetScriptLineNumber(aLineNumber); - sele->SetCreatorParser(GetParser()); + if (sele) { + sele->SetScriptLineNumber(aLineNumber); + sele->SetCreatorParser(GetParser()); + } mConstrainSize = false; }

@@ -556,13 +558,17 @@ nsXMLContentSink::CloseElement(nsIContent* aContent) nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent);

if (mPreventScriptExecution) { - sele->PreventExecution(); + if (sele) + sele->PreventExecution(); return NS_OK; }

// Always check the clock in nsContentSink right after a script StopDeflecting();

+ if (!sele) + return NS_OK; + // Now tell the script that it's ready to go. This may execute the script // or return true, or neither if the script doesn't need executing. bool block = sele->AttemptToExecute(); diff --git a/dom/xml/nsXMLFragmentContentSink.cpp b/dom/xml/nsXMLFragmentContentSink.cpp index 7fce46b..b3d25e9 100644 --- a/dom/xml/nsXMLFragmentContentSink.cpp +++ b/dom/xml/nsXMLFragmentContentSink.cpp @@ -230,8 +230,8 @@ nsXMLFragmentContentSink::CloseElement(nsIContent* aContent) if (mPreventScriptExecution && aContent->Tag() == nsGkAtoms::script && (aContent->IsHTML() || aContent->IsSVG())) { nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aContent); - NS_ASSERTION(sele, "script did QI correctly!"); - sele->PreventExecution(); + if (sele) + sele->PreventExecution(); } return NS_OK; } diff --git a/dom/xslt/xslt/txMozillaXMLOutput.cpp b/dom/xslt/xslt/txMozillaXMLOutput.cpp index d72910e..b4c0098 100644 --- a/dom/xslt/xslt/txMozillaXMLOutput.cpp +++ b/dom/xslt/xslt/txMozillaXMLOutput.cpp @@ -300,13 +300,14 @@ txMozillaXMLOutput::endElement() } else if ((ns == kNameSpaceID_XHTML || ns == kNameSpaceID_SVG) && localName == nsGkAtoms::script) { nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(element); - MOZ_ASSERT(sele, "script elements need to implement nsIScriptElement"); - bool block = sele->AttemptToExecute(); - // If the act of insertion evaluated the script, we're fine. - // Else, add this script element to the array of loading scripts. - if (block) { - rv = mNotifier->AddScriptElement(sele); - NS_ENSURE_SUCCESS(rv, rv); + if (sele) { + bool block = sele->AttemptToExecute(); + // If the act of insertion evaluated the script, we're fine. + // Else, add this script element to the array of loading scripts. + if (block) { + rv = mNotifier->AddScriptElement(sele); + NS_ENSURE_SUCCESS(rv, rv); + } } } else if (ns == kNameSpaceID_XHTML && (localName == nsGkAtoms::input || diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp index 6c424c8..ecb238e 100644 --- a/parser/html/nsHtml5TreeOpExecutor.cpp +++ b/parser/html/nsHtml5TreeOpExecutor.cpp @@ -636,6 +636,8 @@ nsHtml5TreeOpExecutor::RunScript(nsIContent* aScriptElement)

NS_ASSERTION(aScriptElement, "No script to run"); nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aScriptElement); + if (!sele) + return;

if (!mParser) { NS_ASSERTION(sele->IsMalformed(), "Script wasn't marked as malformed.");