Closed
Bug 334687
Opened 18 years ago
Closed 18 years ago
Possible null pointer dereference in nsPluginHostImpl.cpp
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: kherron+mozilla, Assigned: rflint)
References
(Blocks 1 open bug, )
Details
(Keywords: coverity)
Attachments
(1 file, 1 obsolete file)
969 bytes,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
Please refer to the sample URL. The |nsActivePlugin| dtor tests a member called |mPeer| for a possible NULL value at line 399, which implies the member may contain NULL. Later at line 418, |mPeer| is passed to |NS_RELEASE|, which unconditionally dereferences |mPeer|. This was found through a coverity scan of the firefox source. I don't know if it can happen in practice, but the ctor for this class may leave |mPeer| set to nsnull. It seems to me the fix would be to replace NS_RELEASE with NS_RELEASE_IF, or else move the NS_RELEASE call inside the block beginning at line 400.
Reporter | ||
Updated•18 years ago
|
Whiteboard: [good first bug]
Assignee | ||
Comment 1•18 years ago
|
||
Assignee: nobody → rflint
Status: NEW → ASSIGNED
Attachment #219479 -
Flags: superreview?(jst)
Attachment #219479 -
Flags: review?(jst)
Comment 2•18 years ago
|
||
Comment on attachment 219479 [details] [diff] [review] Call NS_RELEASE only if mPeer is not null + NS_RELEASE(mPeer); } // now check for cached plugins because they haven't had nsIPluginInstance::Destroy() // called yet. For non-cached plugins, nsIPluginInstance::Destroy() is called // in either nsObjectFrame::Destroy() or nsActivePluginList::stopRunning() PRBool doCache = PR_TRUE; mInstance->GetValue(nsPluginInstanceVariable_DoCacheBool, (void *) &doCache); if (doCache) mInstance->Destroy(); NS_RELEASE(mInstance); - NS_RELEASE(mPeer); I suspect order may matter here, and to play it safe I'd rather see the NS_RELEASE() changed to an NS_IF_RELEASE() w/o changing the release order here. r- based on that. I'll happily r+sr a patch that doesn't change the order in which we release these objects.
Attachment #219479 -
Flags: superreview?(jst)
Attachment #219479 -
Flags: review?(jst)
Attachment #219479 -
Flags: review-
Assignee | ||
Comment 3•18 years ago
|
||
Attachment #219479 -
Attachment is obsolete: true
Attachment #219716 -
Flags: superreview?(jst)
Attachment #219716 -
Flags: review?(jst)
Comment 4•18 years ago
|
||
Comment on attachment 219716 [details] [diff] [review] Keep release order r+sr=jst
Attachment #219716 -
Flags: superreview?(jst)
Attachment #219716 -
Flags: superreview+
Attachment #219716 -
Flags: review?(jst)
Attachment #219716 -
Flags: review+
Assignee | ||
Updated•18 years ago
|
Whiteboard: [good first bug] → [checkin needed]
Comment 5•18 years ago
|
||
mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp 1.554
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Target Milestone: --- → mozilla1.9alpha
Updated•6 years ago
|
Blocks: coverity-analysis
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•