Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8c184c30caa6 Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668 # HG changeset patch # User L. David Baron # Date 1452248144 -39600 # Node ID 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e # Parent 0f7224441f2089001f7934b46ac10cb72d267606 Bug 1230668 - Don't use frame when not in composed document. r=heycam a=sylvestre diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp --- a/layout/style/nsComputedDOMStyle.cpp +++ b/layout/style/nsComputedDOMStyle.cpp @@ -421,26 +421,31 @@ nsComputedDOMStyle::GetStyleContextForEl { MOZ_ASSERT(aElement, "NULL element"); // If the content has a pres shell, we must use it. Otherwise we'd // potentially mix rule trees by using the wrong pres shell's style // set. Using the pres shell from the content also means that any // content that's actually *in* a document will get the style from the // correct document. nsIPresShell *presShell = GetPresShellForContent(aElement); + bool inDocWithShell = true; if (!presShell) { + inDocWithShell = false; presShell = aPresShell; if (!presShell) return nullptr; } - // XXX the !aElement->IsHTML(nsGkAtoms::area) - // check is needed due to bug 135040 (to avoid using + // XXX the !aElement->IsHTML(nsGkAtoms::area) + // check is needed due to bug 135040 (to avoid using // mPrimaryFrame). Remove it once that's fixed. - if (!aPseudo && aStyleType == eAll && !aElement->IsHTML(nsGkAtoms::area)) { + if (!aPseudo && aStyleType == eAll && inDocWithShell && + !aElement->IsHTML(nsGkAtoms::area)) { + if (!aPseudo && aStyleType == eAll && inDocWithShell && + !aElement->IsHTMLElement(nsGkAtoms::area)) { nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement); if (frame) { nsStyleContext* result = frame->StyleContext(); // Don't use the style context if it was influenced by // pseudo-elements, since then it's not the primary style // for this element. if (!result->HasPseudoElementData()) { // this function returns an addrefed style context @@ -468,17 +473,18 @@ nsComputedDOMStyle::GetStyleContextForEl nsRefPtr sc; if (aPseudo) { nsCSSPseudoElements::Type type = nsCSSPseudoElements::GetPseudoType(aPseudo); if (type >= nsCSSPseudoElements::ePseudo_PseudoElementCount) { return nullptr; } nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement); - Element* pseudoElement = frame ? frame->GetPseudoElement(type) : nullptr; + Element* pseudoElement = + frame && inDocWithShell ? frame->GetPseudoElement(type) : nullptr; sc = styleSet->ResolvePseudoElementStyle(aElement, type, parentContext, pseudoElement); } else { sc = styleSet->ResolveStyleFor(aElement, parentContext); } if (aStyleType == eDefaultOnly) { // We really only want the user and UA rules. Filter out the other ones. @@ -592,18 +598,18 @@ nsComputedDOMStyle::UpdateCurrentStyleSo mFlushedPendingReflows = aNeedsLayoutFlush; #endif mPresShell = document->GetShell(); if (!mPresShell || !mPresShell->GetPresContext()) { return; } - // XXX the !mContent->IsHTML(nsGkAtoms::area) - // check is needed due to bug 135040 (to avoid using + // XXX the !mContent->IsHTML(nsGkAtoms::area) + // check is needed due to bug 135040 (to avoid using // mPrimaryFrame). Remove it once that's fixed. if (!mPseudo && mStyleType == eAll && !mContent->IsHTML(nsGkAtoms::area)) { mOuterFrame = mContent->GetPrimaryFrame(); mInnerFrame = mOuterFrame; if (mOuterFrame) { nsIAtom* type = mOuterFrame->GetType(); if (type == nsGkAtoms::tableOuterFrame) { // If the frame is an outer table frame then we should get the style