Don't cache marker frames

RESOLVED FIXED

Status

()

RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: longsonr, Assigned: longsonr)

Tracking

Trunk
Points:
---
Bug Flags:
wanted1.8.1.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] post 1.8-branch)

Attachments

(2 attachments, 1 obsolete attachment)

(Assignee)

Description

12 years ago
Marker frames suffer from the same issue as bug 375775
(Assignee)

Comment 1

12 years ago
Created attachment 260721 [details]
attempted testcase

This causes mozilla to reference deleted memory. Depending on the values it points to you might crash.
(Assignee)

Comment 2

12 years ago
Created attachment 260733 [details] [diff] [review]
patch
Attachment #260733 - Flags: review?(tor)

Comment 3

12 years ago
Comment on attachment 260733 [details] [diff] [review]
patch

> class nsSVGMarkerProperty : public nsStubMutationObserver {
...
>+  nsWeakPtr AddMutationObserver(nsIURI *aURI, nsIContent *aContent);

nsWeakPtr is actually nsCOMPtr<nsIWeakReference> and the nsCOMPtr user manual says not to use nsCOMPtrs as return values:

  http://www.mozilla.org/projects/xpcom/nsCOMPtr.html#guide_nsCOMPtr_in_APIs
Attachment #260733 - Flags: review?(tor) → review-
(Assignee)

Comment 4

12 years ago
Created attachment 260815 [details] [diff] [review]
address review comment
Attachment #260733 - Attachment is obsolete: true
Attachment #260815 - Flags: review?(tor)

Updated

12 years ago
Attachment #260815 - Flags: review?(tor) → review+
(Assignee)

Updated

12 years ago
Attachment #260815 - Flags: superreview?(roc)
Attachment #260815 - Flags: superreview?(roc) → superreview+
(Assignee)

Comment 5

12 years ago
checked in.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
This doesn't crash in FF2.0.0.3 -- a trunk only feature/problem?
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] post 1.8-branch
(Assignee)

Comment 7

12 years ago
This is a fix for bug 371563. The 1.8 branch has a completely different implementation of markers so this fix is not required there.
Group: security
You need to log in before you can comment on or make changes to this bug.