Closed Bug 789843 Opened 12 years ago Closed 12 years ago

Access after free in nsCSSStyleSheet::ParseSheet

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 781032

People

(Reporter: ttaubert, Unassigned)

References

Details

(Keywords: crash, reproducible)

Crash Data

Attachments

(1 file)

null out mNameSpaceMap before creating the new css parser
(deleted), patch
Details | Diff | Splinter Review
While working on another bug I had browser_styleeditor_reopen.js crash reliably: https://tbpl.mozilla.org/?tree=Try&rev=5805ebce61e4 That's the same crash as some of the comments in bug 707891. It's reproducible using a debug build on my Linux 64bit machine. Debugging with Valgrind brought up the following: http://pastebin.mozilla.org/1812606 The culprit I found was that we do: > nsCSSParser parser(loader, this); > // ... > mInner->mNameSpaceMap = nullptr; This causes parser->mNameSpaceMap to continue pointing to the old nameSpaceMap which is now in an invalid state because its members have been freed. If I'm not mistaken all we have to do is to make sure we null out mNameSpaceMap before creating the new parser so that the constructor can just set it to nullptr and create it when needed. This fixes the crash locally though I'm not at all familiar with the code to say if that has any unwanted side-effects...
Attachment #659605 - Flags: review?(cedricv)
Isn't this a duplicate of bug 781032?
Yes, sorry.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Attachment #659605 - Flags: review?(cedricv)
No need to be sorry! _I'm_ sorry you had to spend time on this. :(
Assignee: ttaubert → nobody
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: