tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 35205629af475aa8399630f2b637dc2c098bca4f
parent b41caab33c2e5a3dc54d042047e6c85804224eb9
Author: Daniel Holbert <dholbert@cs.stanford.edu>
Date:   Thu,  9 Oct 2025 07:04:25 +0000

Bug 1993379 part 1: Add a null-check to TextRenderedRunIterator and CharIterator destructors. r=longsonr,firefox-svg-reviewers

mFrameIterator.Root() can be nullptr, as noted in its own Init() method:
https://searchfox.org/firefox-main/rev/dc1c78e9c37aba6ed05a4ec47c4bfcb16f57b51d/layout/svg/SVGTextFrame.cpp#1568-1571

So we need to null-check it before dereferencing it.

Differential Revision: https://phabricator.services.mozilla.com/D268057

Diffstat:

Mlayout/svg/SVGTextFrame.cpp | 12++++++++++--


Alayout/svg/crashtests/1993379-1.html | 11+++++++++++


Mlayout/svg/crashtests/crashtests.list | 1+


3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/layout/svg/SVGTextFrame.cpp b/layout/svg/SVGTextFrame.cpp
@@ -1785,7 +1785,11 @@ class TextRenderedRunIterator {
   /**
    * Ensure any cached PropertyProvider is cleared at the end of the iteration.
    */
-  ~TextRenderedRunIterator() { mFrameIterator.Root()->ForgetCachedProvider(); }
+  ~TextRenderedRunIterator() {
+    if (auto* root = mFrameIterator.Root()) {
+      root->ForgetCachedProvider();
+    }
+  }
 
   /**
    * Returns the current TextRenderedRun.
@@ -2019,7 +2023,11 @@ class MOZ_STACK_CLASS CharIterator {
   /**
    * Ensure any cached PropertyProvider is cleared at the end of the iteration.
    */
-  ~CharIterator() { mFrameIterator.Root()->ForgetCachedProvider(); }
+  ~CharIterator() {
+    if (auto* root = mFrameIterator.Root()) {
+      root->ForgetCachedProvider();
+    }
+  }
 
   /**
    * Returns whether the iterator is finished.
diff --git a/layout/svg/crashtests/1993379-1.html b/layout/svg/crashtests/1993379-1.html
@@ -0,0 +1,11 @@
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  document.execCommand("selectAll", false);
+  b.setAttribute("pointer-events", "none")
+  a.removeChild(a.childNodes[0])
+})
+</script>
+<q id="a">A</q>
+<svg systemLanguage="fi">
+<g id="b">
+<text>
diff --git a/layout/svg/crashtests/crashtests.list b/layout/svg/crashtests/crashtests.list
@@ -272,3 +272,4 @@ load 1882921-1.html
 asserts(5-20) load 1941838.html
 load 1953296.html
 load 1982067-1.html
+skip-if(isDebugBuild) load 1993379-1.html # bug 1467887