Closed Bug 332415 Opened 15 years ago Closed 15 years ago

Double free lurking in js_NewRegExpObject

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: mrbkap, Assigned: brendan)

Details

(Keywords: fixed1.8.1)

Attachments

(1 file)

I noticed this piece of code the other day:

    obj = js_NewObject(cx, &js_RegExpClass, NULL, NULL);
    if (!obj || !JS_SetPrivate(cx, obj, re) || !js_SetLastIndex(cx, obj, 0)) {
        js_DestroyRegExp(cx, re);

In the case that the JS_SetPrivate succeeds and the js_SetLastIndex fails, re is held on to by the object (to be released in its finalizer) but it's also destroyed by the explict call to js_DestroyRegExp. Brendan has a patch.
Attached patch fixSplinter Review
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #216878 - Flags: review+
Attachment #216878 - Flags: approval-branch-1.8.1+
Fixed on trunk and 1.8 branch.

/be
Blocks: js1.6rc1
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Flags: in-testsuite-
not on 1.8.0, not making js16
No longer blocks: js1.6rc1
You need to log in before you can comment on or make changes to this bug.