Closed Bug 1181909 Opened 5 years ago Closed 5 years ago

Fix null dereference in NextPartObserver in MultipartImage.cpp

Categories

(Core :: ImageLib, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox42 --- fixed

People

(Reporter: seth, Assigned: seth)

References

Details

Attachments

(1 file)

I'm amazed that we haven't hit it in testing up to now, but it's clearly possible that we can dereference |mImage| in NextPartObserver::BlockUntilDecodedAndFinishObserving() (found in MultipartImage.cpp) when it's null.

This is because we call GetFrame() to synchronously finish decoding the part we're working on, and that will cause synchronous notifications to be delivered that end up calling NextPartObserver::FinishObserving(), which nulls out mImage. After GetFrame() returns, we unconditionally call FinishObserving(), and if it has already been called, we'll dereference a null pointer.

The fix is simple: we need to check whether FinishObserving() has already been called (by checking if mImage is null) before calling it again.
Blocks: 1117607
Attachment #8631387 - Flags: review?(tnikkel) → review+
Thanks for the review!
https://hg.mozilla.org/mozilla-central/rev/12e48af1f02f
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.