Closed Bug 1405692 Opened 7 years ago Closed 7 years ago

Make sure mAnimatedGeometryRoot is initialized to nullptr in the rarely used nsDisplayItem that takes an nsIFrame*

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox57 + fixed
firefox58 --- fixed

People

(Reporter: jwatt, Assigned: jwatt)

Details

Attachments

(1 file)

patch
837 bytes, patch
mattwoodrow
: review+
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review 
Seems like the pointer mAnimatedGeometryRoot is not initialized in the rarely used nsDisplayItem that takes an nsIFrame*.
Attached patch patchSplinter Review 

        Attachment #8915149 -
        Flags: review?(matt.woodrow)

    
    

    
  
I'm guessing we could possibly end up dereferencing an uninitialized pointer here, so maybe not a bad idea to uplift since it should be completely safe.

          status-firefox57:
          --- → ?

        Attachment #8915149 -
        Flags: review?(matt.woodrow) → review+

    
    

    
  
[Tracking Requested - why for this release]: see comment 2

          status-firefox57:
          ?affected

          status-firefox58:
          --- → affected

          tracking-firefox57:
          --- → ?

    
    

    
  
Pushed by jwatt@jwatt.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c45a9377bfb7
Make sure mAnimatedGeometryRoot is initialized to nullptr in the rarely used nsDisplayItem ctor that takes an nsIFrame*. r=mattwoodrow

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/c45a9377bfb7
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox58:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58

    
    

    
  
please request uplift to beta when you get a chance.

          tracking-firefox57:
          ?+
Flags: needinfo?(jwatt)

    
    

    
  
Comment on attachment 8915149 [details] [diff] [review]
patch

Approval Request Comment
[Feature/Bug causing the regression]: been around a while
[User impact if declined]: potential dereference of uninitialized memory
[Is this code covered by automated tests?]: how we'd trigger a derefernce is unexplored
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: simply initializing a pointer to null - crashing would be better than a security issue
[String changes made/needed]: none
Flags: needinfo?(jwatt)

        Attachment #8915149 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 8915149 [details] [diff] [review]
patch

makes sense, beta57+

        Attachment #8915149 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
(In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #7)
> [Needs manual test from QE? If yes, steps to reproduce]: no

Marking this issue as qe-, per Jonathan's assessment on manual testing needs
Flags: qe-verify-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: