summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch
blob: 57bc45f3c2148826ce405a2af6b36852b884a16e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
  changeset:   312039:4290826b078c
  user:        Timothy Nikkel <tnikkel@gmail.com>
  Date:        Fri May 13 06:09:38 2016 +0200
  summary:     Bug 1261230. r=mats, a=ritu

diff -r 45a59425b498 -r 4290826b078c layout/generic/nsSubDocumentFrame.cpp
--- a/layout/generic/nsSubDocumentFrame.cpp	Tue May 10 14:12:20 2016 +0200
+++ b/layout/generic/nsSubDocumentFrame.cpp	Fri May 13 06:09:38 2016 +0200
@@ -132,6 +132,7 @@
     nsCOMPtr<nsIDocument> oldContainerDoc;
     nsView* detachedViews =
       frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
+    frameloader->SetDetachedSubdocView(nullptr, nullptr);
     if (detachedViews) {
       if (oldContainerDoc == aContent->OwnerDoc()) {
         // Restore stashed presentation.
@@ -142,7 +143,6 @@
         frameloader->Hide();
       }
     }
-    frameloader->SetDetachedSubdocView(nullptr, nullptr);
   }
 
   nsContentUtils::AddScriptRunner(new AsyncFrameInit(this));
@@ -936,13 +936,16 @@
     if (!mPresShell->IsDestroying()) {
       mPresShell->FlushPendingNotifications(Flush_Frames);
     }
+
+    // Either the frame has been constructed by now, or it never will be,
+    // either way we want to clear the stashed views.
+    mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
+
     nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame());
     if ((!frame && mHideViewerIfFrameless) ||
         mPresShell->IsDestroying()) {
       // Either the frame element has no nsIFrame or the presshell is being
-      // destroyed. Hide the nsFrameLoader, which destroys the presentation,
-      // and clear our references to the stashed presentation.
-      mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
+      // destroyed. Hide the nsFrameLoader, which destroys the presentation.
       mFrameLoader->Hide();
     }
     return NS_OK;
@@ -968,7 +971,7 @@
   // Detach the subdocument's views and stash them in the frame loader.
   // We can then reattach them if we're being reframed (for example if
   // the frame has been made position:fixed).
-  nsFrameLoader* frameloader = FrameLoader();
+  RefPtr<nsFrameLoader> frameloader = FrameLoader();
   if (frameloader) {
     nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild());
     frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc());
@@ -977,7 +980,7 @@
     // safely determine whether the frame is being reframed or destroyed.
     nsContentUtils::AddScriptRunner(
       new nsHideViewer(mContent,
-                       mFrameLoader,
+                       frameloader,
                        PresContext()->PresShell(),
                        (mDidCreateDoc || mCallingShow)));
   }