diff options
author | Gaming4JC <g4jc@hyperbola.info> | 2019-05-04 18:42:29 -0400 |
---|---|---|
committer | Gaming4JC <g4jc@hyperbola.info> | 2019-05-04 18:42:29 -0400 |
commit | 4ed4303dd11f61123a93faf8e9c6cbe69f2349c9 (patch) | |
tree | f7151af3381735036520dabaffb878ef90510a44 /parser/html/nsHtml5TreeOpExecutor.cpp | |
parent | aa4055cb420d23ae105c39b2f13d68352a9fad36 (diff) | |
download | uxp-4ed4303dd11f61123a93faf8e9c6cbe69f2349c9.tar.gz |
backport m-c 1510114: Fix Use-After-Free in the HTML5 Parser
Fixes #1076
Diffstat (limited to 'parser/html/nsHtml5TreeOpExecutor.cpp')
-rw-r--r-- | parser/html/nsHtml5TreeOpExecutor.cpp | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp index 4684496985..5c3f32d6fb 100644 --- a/parser/html/nsHtml5TreeOpExecutor.cpp +++ b/parser/html/nsHtml5TreeOpExecutor.cpp @@ -351,6 +351,12 @@ nsHtml5TreeOpExecutor::RunFlushLoop() nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu! RefPtr<nsParserBase> parserKungFuDeathGrip(mParser); + RefPtr<nsHtml5StreamParser> streamParserGrip; + if (mParser) { + streamParserGrip = GetParser()->GetStreamParser(); + } + mozilla::Unused + << streamParserGrip; // Intentionally not used within function // Remember the entry time (void) nsContentSink::WillParseImpl(); @@ -409,11 +415,6 @@ nsHtml5TreeOpExecutor::RunFlushLoop() mOpQueue.Clear(); // clear in order to be able to assert in destructor return; } - // Not sure if this grip is still needed, but previously, the code - // gripped before calling ParseUntilBlocked(); - RefPtr<nsHtml5StreamParser> streamKungFuDeathGrip = - GetParser()->GetStreamParser(); - mozilla::Unused << streamKungFuDeathGrip; // Not used within function // Now parse content left in the document.write() buffer queue if any. // This may generate tree ops on its own or dequeue a speculation. nsresult rv = GetParser()->ParseUntilBlocked(); @@ -529,6 +530,12 @@ nsHtml5TreeOpExecutor::FlushDocumentWrite() RefPtr<nsHtml5TreeOpExecutor> kungFuDeathGrip(this); RefPtr<nsParserBase> parserKungFuDeathGrip(mParser); mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function + RefPtr<nsHtml5StreamParser> streamParserGrip; + if (mParser) { + streamParserGrip = GetParser()->GetStreamParser(); + } + mozilla::Unused + << streamParserGrip; // Intentionally not used within function NS_ASSERTION(!mReadingFromStage, "Got doc write flush when reading from stage"); |