Closed Bug 149320 Opened 23 years ago Closed 22 years ago

crash if invalid setStart is set on a Range

Categories

(Core :: DOM: Core & HTML, defect, P3)

x86
Windows 2000
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: mail, Assigned: mozeditor)

References

Details

(Keywords: crash, testcase, Whiteboard: fixinhand, has r= and sr=)

Attachments

(3 files, 1 obsolete file)

From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523 BuildID: 2002052306 setStart to an invalid offset for a Range. Alert or appending of textNode of Range causes crash. Reproducible: Always Steps to Reproduce: 1. createRange 2. setStart to invalid offset Actual Results: crash Expected Results: error
Attached file testcase (deleted) —
Attached file testcase (deleted) —
Added try-catch to testcase. Should catch an INDEX_SIZE_ERR exception rather than crashing.
With 2002060408/trunk/W2K using 1st testcase -> crash, TB7054045Q
Keywords: crash, testcase
reassign to Kin
Assignee: anthonyd → kin
Attached patch a proposed patch (obsolete) (deleted) — Splinter Review
I add some condition to avoid crash for nil point, I think this patch can match the reporter's need.
who can review the patch for this bug.
Before checking in any content iterator changes, or getting a super review, I would get a review from jfrancis@netscape.com who wrote it. That said, I believe there is an implicit assumption by the content iterator and all backend users of range (like the editor) that the range will either be un-positioned or contain valid containers and offsets. I really think that we need to fix SetStart()/SetEnd()or the underlying DoSetRange() function to validate indexes and containers ... I'm actually quite surprised that it's not doing that already since the spec mentions specific situations to check for.
Blocks: 30838
Status: NEW → ASSIGNED
Priority: -- → P3
Target Milestone: --- → mozilla1.1beta
I agree with Kin. Lets fix this in the right place. Submitting patch soon.
Assignee: kin → jfrancis
Status: ASSIGNED → NEW
This fixes it, and generates the out-of-bounds error expected in the second testcase. Kin, can you sr?
Attachment #89879 - Attachment is obsolete: true
The days of having a half dozen milestones out in front of us to divide bugs between seem to be gone, though I dont know why. Lumping everything together as far out as I can. I'll pull back things that I am working on as I go.
Target Milestone: mozilla1.1beta → mozilla1.2beta
Status: NEW → ASSIGNED
Whiteboard: fixinhand; need r=,sr=
Target Milestone: mozilla1.2beta → M1
Comment on attachment 91184 [details] [diff] [review] patch to content/base/nsRange.{h,cpp} sr=kin@netscape.com
Attachment #91184 - Flags: superreview+
Comment on attachment 91184 [details] [diff] [review] patch to content/base/nsRange.{h,cpp} One comment only : DOM Comments are also CharacterData so I would prefer to see them appear in the main 'if' case of GetNodeLength()... Just in case we decide some day in the future to allow visibility of XML comments. r=glazman
Attachment #91184 - Flags: review+
Whiteboard: fixinhand; need r=,sr= → fixinhand, has r= and sr=
fix landed on trunk
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: