Closed
Bug 334687
Opened 19 years ago
Closed 19 years ago
Possible null pointer dereference in nsPluginHostImpl.cpp
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: kherron+mozilla, Assigned: rflint)
References
(Blocks 1 open bug, )
Details
(Keywords: coverity)
Attachments
(1 file, 1 obsolete file)
|
969 bytes,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
Please refer to the sample URL. The |nsActivePlugin| dtor tests a member called |mPeer| for a possible NULL value at line 399, which implies the member may contain NULL. Later at line 418, |mPeer| is passed to |NS_RELEASE|, which unconditionally dereferences |mPeer|.
This was found through a coverity scan of the firefox source. I don't know if it can happen in practice, but the ctor for this class may leave |mPeer| set to nsnull.
It seems to me the fix would be to replace NS_RELEASE with NS_RELEASE_IF, or else move the NS_RELEASE call inside the block beginning at line 400.
|
Reporter | |
Updated•19 years ago
|
Whiteboard: [good first bug]
|
Assignee | |
Comment 1•19 years ago
|
||
Assignee: nobody → rflint
Status: NEW → ASSIGNED
Attachment #219479 -
Flags: superreview?(jst)
Attachment #219479 -
Flags: review?(jst)
|
||
Comment 2•19 years ago
|
||
Comment on attachment 219479 [details] [diff] [review]
Call NS_RELEASE only if mPeer is not null
+ NS_RELEASE(mPeer);
}
// now check for cached plugins because they haven't had nsIPluginInstance::Destroy()
// called yet. For non-cached plugins, nsIPluginInstance::Destroy() is called
// in either nsObjectFrame::Destroy() or nsActivePluginList::stopRunning()
PRBool doCache = PR_TRUE;
mInstance->GetValue(nsPluginInstanceVariable_DoCacheBool, (void *) &doCache);
if (doCache)
mInstance->Destroy();
NS_RELEASE(mInstance);
- NS_RELEASE(mPeer);
I suspect order may matter here, and to play it safe I'd rather see the NS_RELEASE() changed to an NS_IF_RELEASE() w/o changing the release order here.
r- based on that. I'll happily r+sr a patch that doesn't change the order in which we release these objects.
Attachment #219479 -
Flags: superreview?(jst)
Attachment #219479 -
Flags: review?(jst)
Attachment #219479 -
Flags: review-
|
|
Assignee | |
Comment 3•19 years ago
|
||
Attachment #219479 -
Attachment is obsolete: true
Attachment #219716 -
Flags: superreview?(jst)
Attachment #219716 -
Flags: review?(jst)
|
|
||
Comment 4•19 years ago
|
||
Comment on attachment 219716 [details] [diff] [review]
Keep release order
r+sr=jst
Attachment #219716 -
Flags: superreview?(jst)
Attachment #219716 -
Flags: superreview+
Attachment #219716 -
Flags: review?(jst)
Attachment #219716 -
Flags: review+
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: [good first bug] → [checkin needed]
|
||
Comment 5•19 years ago
|
||
mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp 1.554
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Target Milestone: --- → mozilla1.9alpha
|
||
Updated•7 years ago
|
Blocks: coverity-analysis
|
||
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•