Closed Bug 655138 Opened 13 years ago Closed 13 years ago

Invalid write [@ nsUserFontSet::ReplaceFontEntry]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: jfkthame)

Details

(Keywords: testcase, valgrind, Whiteboard: [sg:critical?])

Attachments

(3 files)

valgrind output (firefox opt)
13.86 KB, text/plain
Details
valgrind output (firefox debug)
13.77 KB, text/plain
Details
patch, don't use aOldFontEntry after it may have been released
862 bytes, patch
jtd
: review+
Details | Diff | Splinter Review 
Loading layout/reftests/font-face/local-1.html under Valgrind gives me an invalid write (write after free) in nsUserFontSet::ReplaceFontEntry.

    
  
Whiteboard: [sg:critical?]

    
    

    
  


  
As usual, valgrind is right. Replacing the entry in mAvailableFonts can cause deletion of the old entry, so we mustn't try to use it after that.
Assignee: nobody → jfkthame

        Attachment #530603 -
        Flags: review?(jdaggett)

    
    

    
  
Comment on attachment 530603 [details] [diff] [review]
patch, don't use aOldFontEntry after it may have been released

Argh, sorry I missed this when reviewing previous patches.

        Attachment #530603 -
        Flags: review?(jdaggett) → review+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/c6f971864dde
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: