according to coverity CID: 1083 from run 176: Description: Dereferencing freed pointer "surface" in call to function "_moz_cairo_image_surface_get_data" in this method may be use after free. the basic codepath is: 378 cairo_surface_destroy(surface); ... 400 PRUint8 *data = cairo_image_surface_get_data(surface); cloned from Bug 368675 comment #3
Summary: integer overflows in nsSVGFilterFrame::FilterPaint → coverity user after free in nsSVGFilterFrame::FilterPaint
ooops, didn't notice this: Bug 368675 Daniel Veditz 2007-03-01 13:46:31 PST (In reply to comment #3) > according to coverity CID: 1083 from run 176: > Description: Dereferencing freed pointer "surface" in call to function > "_moz_cairo_image_surface_get_data" Run 176 was Jan 16, I guess they don't scan the codebase all that often. That code was removed with revision 1.27 on Jan 22 (and isn't related to the integer overflow in this bug in any case). so this is invalid?
FIXED I guess, it was real at one time.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Summary: coverity user after free in nsSVGFilterFrame::FilterPaint → coverity use after free in nsSVGFilterFrame::FilterPaint
You need to log in before you can comment on or make changes to this bug.