Closed
Bug 669584
Opened 13 years ago
Closed 13 years ago
The fix for bug 639728 forgot that items are created lazily
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwatt, Assigned: jwatt)
References
Details
(Whiteboard: [sg:critical?][qa-])
Attachments
(1 file)
6.21 KB,
patch
|
dholbert
:
review+
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The fix for bug 639728 forgot that items are created lazily. Checking that the list length is going to change to zero is not enough. The last remaining reference to the object may be a single item at an arbitrary index, so really we have to check whether the list length is decreasing.
Assignee | ||
Comment 1•13 years ago
|
||
Attachment #544186 -
Flags: review?(dholbert)
Comment 2•13 years ago
|
||
Comment on attachment 544186 [details] [diff] [review]
patch
Do you have a testcase for this? (not that we'd want to check it in yet)
We probably should take this on aurora & beta, too.
Attachment #544186 -
Flags: review?(dholbert) → review+
Comment 3•13 years ago
|
||
guessing sg:critical since the other one was and you marked this as a security bug? please correct if wrong.
blocking2.0: --- → -
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
status-firefox5:
--- → affected
status-firefox6:
--- → affected
status-firefox7:
--- → affected
status-firefox8:
--- → affected
tracking-firefox5:
--- → -
Keywords: testcase-wanted
Whiteboard: [sg:critical?]
Comment 4•13 years ago
|
||
Yes -- this is indeed [sg:critical]. (could trigger early deletion of the |this| pointer, followed by more method-calls on |this|, in the affected code.)
Assignee | ||
Comment 5•13 years ago
|
||
Pushed http://hg.mozilla.org/integration/mozilla-inbound/rev/a3053d8e4090
I don't have the cycles to make a regression testcase today, but I'll leave this bug open for that. The testcase only needs to land on trunk anyway.
Assignee | ||
Comment 6•13 years ago
|
||
Comment on attachment 544186 [details] [diff] [review]
patch
Yeah, I agree with dholbert this should land on beta and aurora. Pretty much no risk as mentioned in bug 639728 comment 20.
Attachment #544186 -
Flags: approval-mozilla-beta?
Attachment #544186 -
Flags: approval-mozilla-aurora?
Updated•13 years ago
|
Comment on attachment 544186 [details] [diff] [review]
patch
Approved for releases/mozilla-aurora and releases/mozilla-beta
Attachment #544186 -
Flags: approval-mozilla-beta?
Attachment #544186 -
Flags: approval-mozilla-beta+
Attachment #544186 -
Flags: approval-mozilla-aurora?
Attachment #544186 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 8•13 years ago
|
||
Assignee | ||
Updated•13 years ago
|
Assignee | ||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Flags: in-testsuite?
qa- as no QA fix verification needed
Whiteboard: [sg:critical?] → [sg:critical?][qa-]
Updated•13 years ago
|
Group: core-security
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•