Closed
Bug 620242
Opened 14 years ago
Closed 14 years ago
[@ JetpackActorCommon::RecList::remove] mishandles node
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
mozilla2.0b9
People
(Reporter: timeless, Assigned: mozilla+ben)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, crash, Whiteboard: [sg:nse])
Crash Data
Attachments
(1 file)
729 bytes,
patch
|
jst
:
review+
jst
:
approval2.0+
|
Details | Diff | Splinter Review |
504 JetpackActorCommon::RecList::remove(jsval v) 505 { 513 RecNode* prev = mHead, *node = prev->down; 514 while (node) { 515 if (node->value() == v) { 516 prev->down = node->down; node is deleted here: 517 delete node; 518 } and used here: 519 node = (prev = node)->down; 520 } 521 }
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Updated•14 years ago
|
Group: core-security
Whiteboard: [sg:critical?] → [sg:nse]
Updated•14 years ago
|
Severity: blocker → normal
Updated•14 years ago
|
Component: General → XPCOM
Product: Add-on SDK → Core
QA Contact: general → xpcom
Target Milestone: -- → ---
Assignee | ||
Comment 1•14 years ago
|
||
True story. Thanks, timeless.
Attachment #499385 -
Flags: review?(jst)
Comment 2•14 years ago
|
||
Comment on attachment 499385 [details] [diff] [review] patch to avoid freed-memory access Thanks for the patch, Ben! (and Happy Holidays too :) r+a=jst
Attachment #499385 -
Flags: review?(jst)
Attachment #499385 -
Flags: review+
Attachment #499385 -
Flags: approval2.0+
Updated•14 years ago
|
Keywords: checkin-needed
Updated•14 years ago
|
Assignee: nobody → mozilla+ben
Comment 3•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/804aa1c428d2
Status: NEW → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b9
Version: unspecified → Trunk
Updated•13 years ago
|
Crash Signature: [@ JetpackActorCommon::RecList::remove]
Updated•6 years ago
|
Blocks: coverity-analysis
You need to log in
before you can comment on or make changes to this bug.
Description
•