nssList_CreateIterator returns pointer to a freed memory if the function fails to allocate a lock

RESOLVED FIXED in 3.12

Status

NSS
Libraries
RESOLVED FIXED
11 years ago
11 years ago

People

(Reporter: Alexei Volkov, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

787 bytes, patch
Nelson Bolyard (seldom reads bugmail)
: review+
Details | Diff | Splinter Review
(Assignee)

Description

11 years ago
nss/lib/base/list.c: frees a pointer at list 381, and returns it at 384.

377     if (list->lock) {
378         rvIterator->lock = PZ_NewLock(nssILockOther);
379         if (!rvIterator->lock) {
380             nssList_Destroy(rvIterator->list);
381             nss_ZFreeIf(rvIterator);
382         }
383     }
384     return rvIterator;
(Assignee)

Comment 1

11 years ago
Created attachment 240236 [details] [diff] [review]
set rvIterator to NULL
Attachment #240236 - Flags: review?(nelson)
Attachment #240236 - Flags: review?(nelson) → review+
(Assignee)

Comment 2

11 years ago
/cvsroot/mozilla/security/nss/lib/base/list.c,v  <--  list.c
new revision: 1.20; previous revision: 1.19
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.