Closed Bug 334687 Opened 18 years ago Closed 18 years ago

Possible null pointer dereference in nsPluginHostImpl.cpp

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: kherron+mozilla, Assigned: rflint)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: coverity)

Attachments

(1 file, 1 obsolete file)

Keep release order
969 bytes, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
Please refer to the sample URL. The |nsActivePlugin| dtor tests a member called |mPeer| for a possible NULL value at line 399, which implies the member may contain NULL. Later at line 418, |mPeer| is passed to |NS_RELEASE|, which unconditionally dereferences |mPeer|.

This was found through a coverity scan of the firefox source. I don't know if it can happen in practice, but the ctor for this class may leave |mPeer| set to nsnull.

It seems to me the fix would be to replace NS_RELEASE with NS_RELEASE_IF, or else move the NS_RELEASE call inside the block beginning at line 400.
Whiteboard: [good first bug]
Assignee: nobody → rflint
Status: NEW → ASSIGNED

        Attachment #219479 -
        Flags: superreview?(jst)

        Attachment #219479 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 219479 [details] [diff] [review]
Call NS_RELEASE only if mPeer is not null

+      NS_RELEASE(mPeer);
     }
 
     // now check for cached plugins because they haven't had nsIPluginInstance::Destroy()
     // called yet. For non-cached plugins, nsIPluginInstance::Destroy() is called
     // in either nsObjectFrame::Destroy() or nsActivePluginList::stopRunning()
     PRBool doCache = PR_TRUE;
     mInstance->GetValue(nsPluginInstanceVariable_DoCacheBool, (void *) &doCache);
     if (doCache)
       mInstance->Destroy();
 
     NS_RELEASE(mInstance);
-    NS_RELEASE(mPeer);

I suspect order may matter here, and to play it safe I'd rather see the NS_RELEASE() changed to an NS_IF_RELEASE() w/o changing the release order here.

r- based on that. I'll happily r+sr a patch that doesn't change the order in which we release these objects.

        Attachment #219479 -
        Flags: superreview?(jst)

        Attachment #219479 -
        Flags: review?(jst)

        Attachment #219479 -
        Flags: review-

    
    

    
  


  

        Attachment #219479 -
        Attachment is obsolete: true

        Attachment #219716 -
        Flags: superreview?(jst)

        Attachment #219716 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 219716 [details] [diff] [review]
Keep release order

r+sr=jst

        Attachment #219716 -
        Flags: superreview?(jst)

        Attachment #219716 -
        Flags: superreview+

        Attachment #219716 -
        Flags: review?(jst)

        Attachment #219716 -
        Flags: review+
Whiteboard: [good first bug] → [checkin needed]

    
    

    
  
mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp 	1.554
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Target Milestone: --- → mozilla1.9alpha

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: