From: timeless@mozdev.org

Bug 522214 Crash when setting null on charset [@ strlen | nsDependentCString::nsDependentCString(char const*)]
r=bz

diff --git a/docshell/base/crashtests/522214-1.html b/docshell/base/crashtests/522214-1.html
new file mode 100644
--- /dev/null
+++ b/docshell/base/crashtests/522214-1.html
@@ -0,0 +1,19 @@
+<html class="reftest-wait">
+<head>
+<script>
+function boom()
+{
+  netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+  var navigator2 = window.QueryInterface(Components.interfaces.nsIInterfaceRequestor)
+                         .getInterface(Components.interfaces.nsIWebNavigation);
+  var docShell = navigator2.QueryInterface(Components.interfaces.nsIDocShell);
+  var aserv = Components.classes["@mozilla.org/atom-service;1"]
+                        .getService(Components.interfaces.nsIAtomService);
+  var docCharset = docShell.QueryInterface(Components.interfaces.nsIDocCharset);
+  docCharset.charset = null;
+  document.documentElement.removeAttribute("class");
+}
+</script>
+<body onload="setTimeout(boom, 100)">
+</body>
+</html>
diff --git a/docshell/base/crashtests/522214-2.html b/docshell/base/crashtests/522214-2.html
new file mode 100644
--- /dev/null
+++ b/docshell/base/crashtests/522214-2.html
@@ -0,0 +1,19 @@
+<html class="reftest-wait">
+<head>
+<script>
+function boom()
+{
+  netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+  var navigator2 = window.QueryInterface(Components.interfaces.nsIInterfaceRequestor)
+                         .getInterface(Components.interfaces.nsIWebNavigation);
+  var docShell = navigator2.QueryInterface(Components.interfaces.nsIDocShell);
+  var aserv = Components.classes["@mozilla.org/atom-service;1"]
+                        .getService(Components.interfaces.nsIAtomService);
+  var historyEntry = docShell.QueryInterface(Components.interfaces.nsIHistoryEntry);
+  historyEntry.title = null;
+  document.documentElement.removeAttribute("class");
+}
+</script>
+<body onload="setTimeout(boom, 100)">
+</body>
+</html>
diff --git a/docshell/base/crashtests/crashtests.list b/docshell/base/crashtests/crashtests.list
--- a/docshell/base/crashtests/crashtests.list
+++ b/docshell/base/crashtests/crashtests.list
@@ -6,3 +6,5 @@ load 430628-1.html
 load 432114-1.html
 load 432114-2.html
 load 436900-1.html
+load 522214-1.html
+load 522214-2.html
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -1734,6 +1734,7 @@ nsDocShell::GetCharset(char** aCharset)
 NS_IMETHODIMP
 nsDocShell::SetCharset(const char* aCharset)
 {
+    NS_ENSURE_ARG_POINTER(aCharset);
     // set the default charset
     nsCOMPtr<nsIContentViewer> viewer;
     GetContentViewer(getter_AddRefs(viewer));
@@ -4627,7 +4628,7 @@ nsDocShell::SetTitle(const PRUnichar * a
     }
 
     if (mGlobalHistory && mCurrentURI && mLoadType != LOAD_ERROR_PAGE) {
-        mGlobalHistory->SetPageTitle(mCurrentURI, nsDependentString(aTitle));
+        mGlobalHistory->SetPageTitle(mCurrentURI, mTitle);
     }
 
 
@@ -10991,8 +10992,9 @@ NS_IMETHODIMP
 nsDocShell::ReloadDocument(const char* aCharset,
                            PRInt32 aSource)
 {
-
-  // XXX hack. kee the aCharset and aSource wait to pick it up
+  NS_ENSURE_ARG_POINTER(aCharset);
+
+  // XXX hack. keep the aCharset and aSource wait to pick it up
   nsCOMPtr<nsIContentViewer> cv;
   NS_ENSURE_SUCCESS(GetContentViewer(getter_AddRefs(cv)), NS_ERROR_FAILURE);
   if (cv)
@@ -11002,19 +11004,19 @@ nsDocShell::ReloadDocument(const char* a
     {
       PRInt32 hint;
       muDV->GetHintCharacterSetSource(&hint);
-      if( aSource > hint ) 
+      if (aSource > hint)
       {
-         muDV->SetHintCharacterSet(nsDependentCString(aCharset));
-         muDV->SetHintCharacterSetSource(aSource);
-         if(eCharsetReloadRequested != mCharsetReloadState) 
-         {
-            mCharsetReloadState = eCharsetReloadRequested;
-            return Reload(LOAD_FLAGS_CHARSET_CHANGE);
-         }
+        muDV->SetHintCharacterSet(nsDependentCString(aCharset));
+        muDV->SetHintCharacterSetSource(aSource);
+        if(eCharsetReloadRequested != mCharsetReloadState) 
+        {
+          mCharsetReloadState = eCharsetReloadRequested;
+          return Reload(LOAD_FLAGS_CHARSET_CHANGE);
+        }
       }
     }
   }
-  //return failer if this request is not accepted due to mCharsetReloadState
+  //return failure if this request is not accepted due to mCharsetReloadState
   return NS_ERROR_DOCSHELL_REQUEST_REJECTED;
 }