Closed Bug 505738 Opened 15 years ago Closed 13 years ago

nsScriptableRegion::GetRects doesn't handle failure from JS_NewArrayObject [@ JS_DefineElement - nsScriptableRegion::GetRects]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: coverity, crash)

Crash Data

Attachments

(1 file, 1 obsolete file)

updated reviewer
647 bytes, patch
gal
: review+
Details | Diff | Splinter Review
188 JSObject *destArray = JS_NewArrayObject(cx, mRectSet->mNumRects*4, NULL); JS_NewArrayObject will return null on oom and you'll crash here: 196 JS_DefineElement(cx, destArray, n, INT_TO_JSVAL(rect.x), NULL, NULL, JSPROP_ENUMERATE);
Attached patch patch (obsolete) — Splinter Review
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #390177 - Flags: review?(vladimir)
Attachment #390177 - Flags: review?(vladimir) → review?(jmuizelaar)
Attached patch updated reviewerSplinter Review
Attachment #390177 - Attachment is obsolete: true
Attachment #391615 - Flags: review?(jmuizelaar)
Attachment #390177 - Flags: review?(jmuizelaar)
Comment on attachment 391615 [details] [diff] [review] updated reviewer I'm not a good reviewer for this.
Attachment #391615 - Flags: review?(jmuizelaar)
Crash Signature: [@ JS_DefineElement - nsScriptableRegion::GetRects]
Attachment #391615 - Flags: review?(gal)
Attachment #391615 - Flags: review?(gal) → review+
https://hg.mozilla.org/mozilla-central/rev/78de2c2bdad5
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: