Closed
Bug 620242
Opened 15 years ago
Closed 15 years ago
[@ JetpackActorCommon::RecList::remove] mishandles node
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
mozilla2.0b9
People
(Reporter: timeless, Assigned: mozilla+ben)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, crash, Whiteboard: [sg:nse])
Crash Data
Attachments
(1 file)
|
729 bytes,
patch
|
jst
:
review+
jst
:
approval2.0+
|
Details | Diff | Splinter Review |
504 JetpackActorCommon::RecList::remove(jsval v)
505 {
513 RecNode* prev = mHead, *node = prev->down;
514 while (node) {
515 if (node->value() == v) {
516 prev->down = node->down;
node is deleted here:
517 delete node;
518 }
and used here:
519 node = (prev = node)->down;
520 }
521 }
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
|
||
Updated•15 years ago
|
Group: core-security
Whiteboard: [sg:critical?] → [sg:nse]
|
|
||
Updated•15 years ago
|
Severity: blocker → normal
|
|
||
Updated•15 years ago
|
Component: General → XPCOM
Product: Add-on SDK → Core
QA Contact: general → xpcom
Target Milestone: -- → ---
|
Assignee | |
Comment 1•15 years ago
|
||
True story. Thanks, timeless.
Attachment #499385 -
Flags: review?(jst)
|
||
Comment 2•15 years ago
|
||
Comment on attachment 499385 [details] [diff] [review]
patch to avoid freed-memory access
Thanks for the patch, Ben! (and Happy Holidays too :)
r+a=jst
Attachment #499385 -
Flags: review?(jst)
Attachment #499385 -
Flags: review+
Attachment #499385 -
Flags: approval2.0+
|
|
||
Updated•15 years ago
|
Keywords: checkin-needed
|
||
Updated•15 years ago
|
Assignee: nobody → mozilla+ben
|
|
||
Comment 3•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b9
Version: unspecified → Trunk
|
||
Updated•14 years ago
|
Crash Signature: [@ JetpackActorCommon::RecList::remove]
|
||
Updated•7 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•