From ce16f9d2c264dd1ff191d392967efc21c9fc405b Mon Sep 17 00:00:00 2001
From: "longsonr%gmail.com"
 <longsonr%gmail.com@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Sat, 30 May 2009 20:03:13 +0000
Subject: [PATCH] Bug 466576 - Null deref [@
 nsSVGTransformList::GetValueString] after failed appendItem. r+sr=roc
 a1.9.0.12=dveditz

git-svn-id: svn://10.0.0.236/trunk@257323 18797224-902f-48f8-a5cc-f745e15eee43
---
 .../svg/content/src/nsSVGTransformList.cpp    | 50 ++++++++-----------
 1 file changed, 22 insertions(+), 28 deletions(-)

diff --git a/mozilla/content/svg/content/src/nsSVGTransformList.cpp b/mozilla/content/svg/content/src/nsSVGTransformList.cpp
index 1a4346bf084..7c1f4f171d7 100644
--- a/mozilla/content/svg/content/src/nsSVGTransformList.cpp
+++ b/mozilla/content/svg/content/src/nsSVGTransformList.cpp
@@ -49,6 +49,15 @@
 #include "nsContentUtils.h"
 #include "nsIDOMClassInfo.h"
 
+#define NS_ENSURE_NATIVE_TRANSFORM(obj, retval)                    \
+  {                                                                \
+    nsresult rv;                                                   \
+    if (retval)                                                    \
+      *retval = nsnull;                                            \
+    nsCOMPtr<nsISVGValue> transform = do_QueryInterface(obj, &rv); \
+    NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_SVG_WRONG_TYPE_ERR);        \
+  }
+
 nsresult
 nsSVGTransformList::Create(nsIDOMSVGTransformList** aResult)
 {
@@ -75,8 +84,7 @@ nsSVGTransformList::ReleaseTransforms()
   for (PRInt32 i = 0; i < count; ++i) {
     nsIDOMSVGTransform* transform = ElementAt(i);
     nsCOMPtr<nsISVGValue> val = do_QueryInterface(transform);
-    if (val)
-      val->RemoveObserver(this);
+    val->RemoveObserver(this);
     NS_RELEASE(transform);
   }
   mTransforms.Clear();
@@ -95,8 +103,7 @@ nsSVGTransformList::AppendElement(nsIDOMSVGTransform* aElement)
   if (rv) {
     NS_ADDREF(aElement);
     nsCOMPtr<nsISVGValue> val = do_QueryInterface(aElement);
-    if (val)
-      val->AddObserver(this);
+    val->AddObserver(this);
   }
 
   return rv;
@@ -244,18 +251,16 @@ NS_IMETHODIMP nsSVGTransformList::Clear()
 NS_IMETHODIMP nsSVGTransformList::Initialize(nsIDOMSVGTransform *newItem,
                                              nsIDOMSVGTransform **_retval)
 {
-  *_retval = newItem;
-  if (!newItem)
-    return NS_ERROR_DOM_SVG_WRONG_TYPE_ERR;
+  NS_ENSURE_NATIVE_TRANSFORM(newItem, _retval);
 
   nsSVGValueAutoNotifier autonotifier(this);
 
   ReleaseTransforms();
   if (!AppendElement(newItem)) {
-    *_retval = nsnull;
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
+  *_retval = newItem;
   NS_ADDREF(*_retval);
   return NS_OK;
 }
@@ -278,24 +283,21 @@ NS_IMETHODIMP nsSVGTransformList::InsertItemBefore(nsIDOMSVGTransform *newItem,
                                                    PRUint32 index,
                                                    nsIDOMSVGTransform **_retval)
 {
-  *_retval = newItem;
-  if (!newItem)
-    return NS_ERROR_DOM_SVG_WRONG_TYPE_ERR;
+  NS_ENSURE_NATIVE_TRANSFORM(newItem, _retval);
 
   nsSVGValueAutoNotifier autonotifier(this);
 
   PRUint32 count = mTransforms.Count();
 
   if (!mTransforms.InsertElementAt((void*)newItem, (index < count)? index: count)) {
-    *_retval = nsnull;
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   NS_ADDREF(newItem);
   nsCOMPtr<nsISVGValue> val = do_QueryInterface(newItem);
-  if (val)
-    val->AddObserver(this);
+  val->AddObserver(this);
 
+  *_retval = newItem;
   NS_ADDREF(*_retval);
   return NS_OK;
 }
@@ -305,10 +307,7 @@ NS_IMETHODIMP nsSVGTransformList::ReplaceItem(nsIDOMSVGTransform *newItem,
                                               PRUint32 index,
                                               nsIDOMSVGTransform **_retval)
 {
-  if (!newItem)
-    return NS_ERROR_DOM_SVG_WRONG_TYPE_ERR;
-
-  *_retval = nsnull;
+  NS_ENSURE_NATIVE_TRANSFORM(newItem, _retval);
 
   nsSVGValueAutoNotifier autonotifier(this);
 
@@ -323,12 +322,10 @@ NS_IMETHODIMP nsSVGTransformList::ReplaceItem(nsIDOMSVGTransform *newItem,
   }
 
   nsCOMPtr<nsISVGValue> val = do_QueryInterface(oldItem);
-  if (val)
-    val->RemoveObserver(this);
+  val->RemoveObserver(this);
   NS_RELEASE(oldItem);
   val = do_QueryInterface(newItem);
-  if (val)
-    val->AddObserver(this);
+  val->AddObserver(this);
   NS_ADDREF(newItem);
 
   *_retval = newItem;
@@ -355,8 +352,7 @@ NS_IMETHODIMP nsSVGTransformList::RemoveItem(PRUint32 index, nsIDOMSVGTransform
   }
 
   nsCOMPtr<nsISVGValue> val = do_QueryInterface(*_retval);
-  if (val)
-    val->RemoveObserver(this);
+  val->RemoveObserver(this);
 
   // don't NS_ADDREF(*_retval)
   return NS_OK;
@@ -366,17 +362,15 @@ NS_IMETHODIMP nsSVGTransformList::RemoveItem(PRUint32 index, nsIDOMSVGTransform
 NS_IMETHODIMP nsSVGTransformList::AppendItem(nsIDOMSVGTransform *newItem,
                                              nsIDOMSVGTransform **_retval)
 {
-  *_retval = newItem;
-  if (!newItem)
-    return NS_ERROR_DOM_SVG_WRONG_TYPE_ERR;
+  NS_ENSURE_NATIVE_TRANSFORM(newItem, _retval);
 
   nsSVGValueAutoNotifier autonotifier(this);
 
   if (!AppendElement(newItem)) {
-    *_retval = nsnull;
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
+  *_retval = newItem;
   NS_ADDREF(*_retval);
   return NS_OK;
 }