Closed Bug 332415 Opened 18 years ago Closed 18 years ago

Double free lurking in js_NewRegExpObject

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mrbkap, Assigned: brendan)

Details

(Keywords: fixed1.8.1)

Attachments

(1 file)

fix
1.04 KB, patch
brendan
: review+
brendan
: approval-branch-1.8.1+
Details | Diff | Splinter Review 
I noticed this piece of code the other day:

    obj = js_NewObject(cx, &js_RegExpClass, NULL, NULL);
    if (!obj || !JS_SetPrivate(cx, obj, re) || !js_SetLastIndex(cx, obj, 0)) {
        js_DestroyRegExp(cx, re);

In the case that the JS_SetPrivate succeeds and the js_SetLastIndex fails, re is held on to by the object (to be released in its finalizer) but it's also destroyed by the explict call to js_DestroyRegExp. Brendan has a patch.
Attached patch fixSplinter Review 
Assignee: general → brendan
Status: NEW → ASSIGNED

        Attachment #216878 -
        Flags: review+

    
  

        Attachment #216878 -
        Flags: approval-branch-1.8.1+

    
    

    
  
Fixed on trunk and 1.8 branch.

/be
Blocks: js1.6rc1
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Flags: in-testsuite-

    
    

    
  
not on 1.8.0, not making js16
No longer blocks: js1.6rc1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: