I'm amazed that we haven't hit it in testing up to now, but it's clearly possible that we can dereference |mImage| in NextPartObserver::BlockUntilDecodedAndFinishObserving() (found in MultipartImage.cpp) when it's null. This is because we call GetFrame() to synchronously finish decoding the part we're working on, and that will cause synchronous notifications to be delivered that end up calling NextPartObserver::FinishObserving(), which nulls out mImage. After GetFrame() returns, we unconditionally call FinishObserving(), and if it has already been called, we'll dereference a null pointer. The fix is simple: we need to check whether FinishObserving() has already been called (by checking if mImage is null) before calling it again.
Attachment #8631387 - Flags: review?(tnikkel) → review+
Thanks for the review!
You need to log in before you can comment on or make changes to this bug.