Closed Bug 620242 Opened 9 years ago Closed 9 years ago

[@ JetpackActorCommon::RecList::remove] mishandles node

Categories

(Core :: XPCOM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla2.0b9

People

(Reporter: timeless, Assigned: mozilla+ben)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash, Whiteboard: [sg:nse])

Crash Data

Attachments

(1 file)

504 JetpackActorCommon::RecList::remove(jsval v)
505 {

513   RecNode* prev = mHead, *node = prev->down;
514   while (node) {
515     if (node->value() == v) {
516       prev->down = node->down;
node is deleted here:
517       delete node;
518     }
and used here:
519     node = (prev = node)->down;
520   }
521 }
Whiteboard: [sg:critical?]
Group: core-security
Whiteboard: [sg:critical?] → [sg:nse]
Severity: blocker → normal
Component: General → XPCOM
Product: Add-on SDK → Core
QA Contact: general → xpcom
Target Milestone: -- → ---
True story. Thanks, timeless.
Attachment #499385 - Flags: review?(jst)
Comment on attachment 499385 [details] [diff] [review]
patch to avoid freed-memory access

Thanks for the patch, Ben! (and Happy Holidays too :)

r+a=jst
Attachment #499385 - Flags: review?(jst)
Attachment #499385 - Flags: review+
Attachment #499385 - Flags: approval2.0+
Assignee: nobody → mozilla+ben
http://hg.mozilla.org/mozilla-central/rev/804aa1c428d2
Status: NEW → RESOLVED
Closed: 9 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b9
Version: unspecified → Trunk
Crash Signature: [@ JetpackActorCommon::RecList::remove]
You need to log in before you can comment on or make changes to this bug.