tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 485624dbe95b53a760b77ac56ea95327cd9977c7
parent d87eb30d610a3032111f9ee47441b53927de63d3
Author: Jan-Niklas Jaeschke <jjaschke@mozilla.com>
Date:   Sun, 19 Oct 2025 17:04:14 +0000

Bug 1949476 - Fix assertion if find-in-page goes into a shadow DOM which is outside of <body>. r=emilio

Differential Revision: https://phabricator.services.mozilla.com/D269162

Diffstat:

Mtoolkit/components/find/moz.build | 2++


Atoolkit/components/find/test/crashtests/1949476.html | 28++++++++++++++++++++++++++++


Atoolkit/components/find/test/crashtests/crashtests.list | 1+


Mtoolkit/components/typeaheadfind/nsTypeAheadFind.cpp | 14+-------------


4 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/toolkit/components/find/moz.build b/toolkit/components/find/moz.build
@@ -30,4 +30,6 @@ SOURCES += [
 
 MOCHITEST_MANIFESTS += ["test/mochitest/mochitest.toml"]
 
+CRASHTEST_MANIFESTS += ["test/crashtests/crashtests.list"]
+
 FINAL_LIBRARY = "xul"
diff --git a/toolkit/components/find/test/crashtests/1949476.html b/toolkit/components/find/test/crashtests/1949476.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Bug 1949476 - Crash when TypeAheadFind searches shadow DOM outside document</title>
+</head>
+<body>
+  <script>
+    // Set up shadow DOM outside of document body (as sibling to body)
+    document.documentElement.append(document.createElement("div"));
+    const shadowHost = document.querySelector("div");
+    const shadowRoot = shadowHost.attachShadow({ mode: "closed" });
+    shadowRoot.textContent = "foo";
+
+    // Set selection into shadow DOM
+    const sel = window.getSelection();
+    const r = document.createRange();
+    r.selectNodeContents(shadowRoot);
+    sel.addRange(r);
+
+    const finder = SpecialPowers.Cc["@mozilla.org/typeaheadfind;1"]
+                                .getService(SpecialPowers.Ci.nsITypeAheadFind);
+    finder.init(SpecialPowers.wrap(window).docShell);
+    finder.find("f", false, SpecialPowers.Ci.nsITypeAheadFind.FIND_FIRST, true);
+    finder.find("fo", false, SpecialPowers.Ci.nsITypeAheadFind.FIND_NEXT, true);
+  </script>
+</body>
+</html>
diff --git a/toolkit/components/find/test/crashtests/crashtests.list b/toolkit/components/find/test/crashtests/crashtests.list
@@ -0,0 +1 @@
+load 1949476.html
diff --git a/toolkit/components/typeaheadfind/nsTypeAheadFind.cpp b/toolkit/components/typeaheadfind/nsTypeAheadFind.cpp
@@ -647,22 +647,10 @@ nsresult nsTypeAheadFind::GetSearchContainers(
 
   if (!doc) return NS_ERROR_FAILURE;
 
-  nsCOMPtr<nsIContent> rootContent;
-  if (doc->IsHTMLOrXHTML()) {
-    rootContent = doc->GetBody();
-  }
-
-  if (!rootContent) {
-    rootContent = doc->GetRootElement();
-    if (!rootContent) {
-      return NS_ERROR_FAILURE;
-    }
-  }
-
   if (!mSearchRange) {
     mSearchRange = nsRange::Create(doc);
   }
-  nsCOMPtr<nsINode> searchRootNode(rootContent);
+  nsCOMPtr<nsINode> searchRootNode(doc);
 
   mSearchRange->SelectNodeContents(*searchRootNode, IgnoreErrors());