Bug 1667491: Fix null pointer deref. r=nika

Differential Revision: https://phabricator.services.mozilla.com/D91834
2020-09-30 19:18:19 +00:00
parent a2265185b1
commit 68a4b05ec3
3 changed files with 41 additions and 8 deletions
--- a/docshell/base/crashtests/1667491.html
+++ b/docshell/base/crashtests/1667491.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+  <meta charset="UTF-8">
+<script>
+  function go() {
+    const HTML = `
+<script>
+function go() {
+  document.body.appendChild(a)
+  window.frames[0].onbeforeunload = document.createElement("body").onload;
+  window.requestIdleCallback(() => {
+    window.close();
+    finish();
+  });
+}
+<\/script>
+<body onload="go()">
+<iframe id="a"></iframe>
+<iframe></iframe>
+    `;
+
+    let win = window.open(`data:text/html,${encodeURIComponent(HTML)}`);
+    win.finish = function() {
+      document.documentElement.removeAttribute("class");
+    };
+  }
+</script>
+</head>
+<body onload="go()">
+</body>
+</html>
--- a/docshell/base/crashtests/crashtests.list
+++ b/docshell/base/crashtests/crashtests.list
@@ -18,3 +18,4 @@ load 1341657.html
 load 1584467.html
 load 1614211-1.html
 load 1617315-1.html
+skip-if(Android) pref(dom.disable_open_during_load,false) pref(security.data_uri.unique_opaque_origin,false) pref(security.data_uri.block_toplevel_data_uri_navigations,false) load 1667491.html
--- a/layout/base/nsDocumentViewer.cpp
+++ b/layout/base/nsDocumentViewer.cpp
@@ -1223,18 +1223,18 @@ nsDocumentViewer::PermitUnload(PermitUnloadAction aAction,
  bool foundBlocker = false;
  bool foundOOPListener = false;
  bc->PreOrderWalk([&](BrowsingContext* aBC) {
-    if (aBC->IsInProcess()) {
-      nsCOMPtr<nsIContentViewer> contentViewer;
-      aBC->GetDocShell()->GetContentViewer(getter_AddRefs(contentViewer));
-      if (contentViewer &&
-          contentViewer->DispatchBeforeUnload() == eRequestBlockNavigation) {
-        foundBlocker = true;
-      }
-    } else {
+    if (!aBC->IsInProcess()) {
      WindowContext* wc = aBC->GetCurrentWindowContext();
      if (wc && wc->HasBeforeUnload()) {
        foundOOPListener = true;
      }
+    } else if (aBC->GetDocShell()) {
+      nsCOMPtr<nsIContentViewer> contentViewer(
+          aBC->GetDocShell()->GetContentViewer());
+      if (contentViewer &&
+          contentViewer->DispatchBeforeUnload() == eRequestBlockNavigation) {
+        foundBlocker = true;
+      }
    }
  });