Fix null dereference in NextPartObserver in MultipartImage.cpp

RESOLVED FIXED in Firefox 42

Status

()

defect
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: seth, Assigned: seth)

Tracking

unspecified
mozilla42
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 fixed)

Details

Attachments

(1 attachment)

I'm amazed that we haven't hit it in testing up to now, but it's clearly possible that we can dereference |mImage| in NextPartObserver::BlockUntilDecodedAndFinishObserving() (found in MultipartImage.cpp) when it's null.

This is because we call GetFrame() to synchronously finish decoding the part we're working on, and that will cause synchronous notifications to be delivered that end up calling NextPartObserver::FinishObserving(), which nulls out mImage. After GetFrame() returns, we unconditionally call FinishObserving(), and if it has already been called, we'll dereference a null pointer.

The fix is simple: we need to check whether FinishObserving() has already been called (by checking if mImage is null) before calling it again.
Blocks: 1117607
Attachment #8631387 - Flags: review?(tnikkel) → review+
Thanks for the review!
https://hg.mozilla.org/mozilla-central/rev/12e48af1f02f
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.