Closed Bug 868266 Opened 7 years ago Closed 7 years ago
Root the arguments array in ns
Object Loading Content::Legacy Call
Spinning this off into a separate bug, because I think we want it on Aurora: it's a GC hazard even with our current GC setup.
Whiteboard: [need review]
Target Milestone: --- → mozilla23
Comment on attachment 744950 [details] [diff] [review] Root the arguments list in nsObjectLoadingContent::LegacyCall. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 827158 User impact if declined: A GC hazard that may end up being exploitable if one tries hard enough. Testing completed (on m-c, etc.): Passes tests and all. Risk to taking this patch (and alternatives if risky): Very low risk: just adds on-stack rooting. The other options are to do nothing or to turn off WebIDL bindings for object/embed/applet, but the latter is riskier than this patch. String or IDL/UUID changes made by this patch: None.
Attachment #744950 - Flags: approval-mozilla-aurora?
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Attachment #744950 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.