Closed Bug 376611 Opened 17 years ago Closed 17 years ago

Don't cache marker frames

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: longsonr, Assigned: longsonr)

Details

(Whiteboard: [sg:critical?] post 1.8-branch)

Attachments

(2 files, 1 obsolete file)

attempted testcase
607 bytes, image/svg+xml
Details
address review comment
14.48 KB, patch
tor
: review+
roc
: superreview+
Details | Diff | Splinter Review 
Marker frames suffer from the same issue as bug 375775
Attached image attempted testcase 
This causes mozilla to reference deleted memory. Depending on the values it points to you might crash.
Attached patch patch (obsolete) — Splinter Review 

        Attachment #260733 -
        Flags: review?(tor)

    
    

    
  
Comment on attachment 260733 [details] [diff] [review]
patch

> class nsSVGMarkerProperty : public nsStubMutationObserver {
...
>+  nsWeakPtr AddMutationObserver(nsIURI *aURI, nsIContent *aContent);

nsWeakPtr is actually nsCOMPtr<nsIWeakReference> and the nsCOMPtr user manual says not to use nsCOMPtrs as return values:

  http://www.mozilla.org/projects/xpcom/nsCOMPtr.html#guide_nsCOMPtr_in_APIs

        Attachment #260733 -
        Flags: review?(tor) → review-

    
    

    
  


  

        Attachment #260733 -
        Attachment is obsolete: true

        Attachment #260815 -
        Flags: review?(tor)

    
  

        Attachment #260815 -
        Flags: review?(tor) → review+

    
  

        Attachment #260815 -
        Flags: superreview?(roc)

        Attachment #260815 -
        Flags: superreview?(roc) → superreview+

    
    

    
  
checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  
This doesn't crash in FF2.0.0.3 -- a trunk only feature/problem?
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] post 1.8-branch

    
    

    
  
This is a fix for bug 371563. The 1.8 branch has a completely different implementation of markers so this fix is not required there.
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: