Closed Bug 140484 Opened 24 years ago Closed 23 years ago

tagStr incorrectly freed in nsListCommand::GetCurrentState (lurking crash)

Categories

(Core :: DOM: Editor, defect, P2)

Product:
Core
Component:
DOM: Editor
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: mcguirk, Assigned: mozeditor)

Details

(Whiteboard: [adt2 rtm],custrtm-)

Attachments

(1 file)

Suggested patch
717 bytes, patch
mozeditor
: review+
kinmoz
: superreview+
Details | Diff | Splinter Review
Look at nsListCommand::GetCurrentState(nsIEditor*, const char*, nsICommandParams*) and GetListState() in mozilla/editor/composer/src/nsComposerCommands.cpp. Notice that in the latter function, _retval is never touched if you're in a mixed state, but in the former function, tagStr is freed if it is not NULL, and it has never been initialized to NULL. In other words, you get a bad free if you're in a mixed state. The parallel cases in this file seem to be OK, because the called functions set *_retval = nsnull at the beginning.
Attached patch Suggested patchSplinter Review
Suggested patch: Set *_retval to NULL, as is done in the parallel cases, to avoid the bad free.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: patch, review
Summary: tagStr incorrectly freed in nsListCommand::GetCurrentState → tagStr incorrectly freed in nsListCommand::GetCurrentState (lurking crash)
probably introduced by mjudge but I'll reassign to jfrancis for review of this patch
Assignee: syd → jfrancis
Component: Editor: Composer → Editor: Core
Keywords: nsbeta1
Comment on attachment 81249 [details] [diff] [review] Suggested patch r = jfrancis
Attachment #81249 - Flags: review+
cc'ing kin for sr
Status: NEW → ASSIGNED
Comment on attachment 81249 [details] [diff] [review] Suggested patch sr=kin@netscape.com
Attachment #81249 - Flags: superreview+
nsbeta1+.
Keywords: nsbeta1nsbeta1+
Priority: -- → P2
Whiteboard: [adt2 rtm]
Target Milestone: --- → mozilla1.0
fixed on trunk. Thanks Dan!
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
vurryphied
Status: RESOLVED → VERIFIED
adt1.0.0
Keywords: adt1.0.0
adding adt1.0.0+. Please get drivers approval and then check into the 1.0 branch.
Keywords: adt1.0.0adt1.0.0+
changing to adt1.0.1+ for checkin to the 1.0 branch for the Mozilla1.0.1 milestone. Please get drivers approval before checking in.
Keywords: adt1.0.0+adt1.0.1+
Whiteboard: [adt2 rtm] → [adt2 rtm],custrtm-
Keywords: mozilla1.0.1
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+" keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1mozilla1.0.1+
Branch landing completed. Now we sit back and watch the money roll in!
Keywords: mozilla1.0.1+fixed1.0.1
marking verified per Joe
Keywords: fixed1.0.1verified1.0.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: