summaryrefslogtreecommitdiffstats
path: root/mailnews/imap/src
diff options
context:
space:
mode:
authorMatt A. Tobin <email@mattatobin.com>2019-11-10 21:59:52 -0500
committerMatt A. Tobin <email@mattatobin.com>2019-11-10 21:59:52 -0500
commitcea77b76b3fef912bd79e777f97d353aa50474b6 (patch)
tree5f4792d164e62e4b9a257811dd259cc40c053683 /mailnews/imap/src
parent05667b0d48b50f434ea48a3065adea6c0a88f226 (diff)
downloadUXP-cea77b76b3fef912bd79e777f97d353aa50474b6.tar
UXP-cea77b76b3fef912bd79e777f97d353aa50474b6.tar.gz
UXP-cea77b76b3fef912bd79e777f97d353aa50474b6.tar.lz
UXP-cea77b76b3fef912bd79e777f97d353aa50474b6.tar.xz
UXP-cea77b76b3fef912bd79e777f97d353aa50474b6.zip
Bug 1333038 - Use 'modern' pointers to fix crash due to nsMsgLineStreamBuffer object being deleted while still in use.
Suspected "use after free" in nsMsgLineStreamBuffer::ReadNextLine() leading to crash since object may be destroyed while still in use on another thread. Tag #1273
Diffstat (limited to 'mailnews/imap/src')
-rw-r--r--mailnews/imap/src/nsImapMailFolder.cpp3
-rw-r--r--mailnews/imap/src/nsImapProtocol.cpp1
-rw-r--r--mailnews/imap/src/nsImapProtocol.h2
-rw-r--r--mailnews/imap/src/nsImapService.cpp8
4 files changed, 6 insertions, 8 deletions
diff --git a/mailnews/imap/src/nsImapMailFolder.cpp b/mailnews/imap/src/nsImapMailFolder.cpp
index 4fade9d3f..da1411cd0 100644
--- a/mailnews/imap/src/nsImapMailFolder.cpp
+++ b/mailnews/imap/src/nsImapMailFolder.cpp
@@ -8379,7 +8379,7 @@ nsImapMailFolder::CopyFileToOfflineStore(nsIFile *srcFile, nsMsgKey msgKey)
{
// Now, parse the temp file to (optionally) copy to
// the offline store for the cur folder.
- nsMsgLineStreamBuffer *inputStreamBuffer =
+ RefPtr<nsMsgLineStreamBuffer> inputStreamBuffer =
new nsMsgLineStreamBuffer(FILE_IO_BUFFER_SIZE, true, false);
int64_t fileSize;
srcFile->GetFileSize(&fileSize);
@@ -8443,7 +8443,6 @@ nsImapMailFolder::CopyFileToOfflineStore(nsIFile *srcFile, nsMsgKey msgKey)
notifier->NotifyMsgsClassified(messages, false, false);
inputStream->Close();
inputStream = nullptr;
- delete inputStreamBuffer;
}
if (offlineStore)
offlineStore->Close();
diff --git a/mailnews/imap/src/nsImapProtocol.cpp b/mailnews/imap/src/nsImapProtocol.cpp
index 5e2639a5a..20cadc25c 100644
--- a/mailnews/imap/src/nsImapProtocol.cpp
+++ b/mailnews/imap/src/nsImapProtocol.cpp
@@ -586,7 +586,6 @@ nsImapProtocol::~nsImapProtocol()
NS_IF_RELEASE(m_flagState);
PR_Free(m_dataOutputBuf);
- delete m_inputStreamBuffer;
// **** We must be out of the thread main loop function
NS_ASSERTION(!m_imapThreadIsRunning, "Oops, thread is still running.\n");
diff --git a/mailnews/imap/src/nsImapProtocol.h b/mailnews/imap/src/nsImapProtocol.h
index 5c4f43abd..32cf90e4c 100644
--- a/mailnews/imap/src/nsImapProtocol.h
+++ b/mailnews/imap/src/nsImapProtocol.h
@@ -323,7 +323,7 @@ private:
nsCString m_serverKey;
nsCString m_realHostName;
char *m_dataOutputBuf;
- nsMsgLineStreamBuffer * m_inputStreamBuffer;
+ RefPtr<nsMsgLineStreamBuffer> m_inputStreamBuffer;
uint32_t m_allocatedSize; // allocated size
uint32_t m_totalDataSize; // total data size
uint32_t m_curReadIndex; // current read index
diff --git a/mailnews/imap/src/nsImapService.cpp b/mailnews/imap/src/nsImapService.cpp
index 5e097311e..1d97dec29 100644
--- a/mailnews/imap/src/nsImapService.cpp
+++ b/mailnews/imap/src/nsImapService.cpp
@@ -2061,9 +2061,10 @@ nsresult nsImapService::OfflineAppendFromFile(nsIFile *aFile,
if (NS_SUCCEEDED(rv) && inputStream)
{
// now, copy the temp file to the offline store for the dest folder.
- nsMsgLineStreamBuffer *inputStreamBuffer = new nsMsgLineStreamBuffer(FILE_IO_BUFFER_SIZE,
- true, // allocate new lines
- false); // leave CRLFs on the returned string
+ RefPtr<nsMsgLineStreamBuffer> inputStreamBuffer =
+ new nsMsgLineStreamBuffer(FILE_IO_BUFFER_SIZE,
+ true, // allocate new lines
+ false); // leave CRLFs on the returned string
int64_t fileSize;
aFile->GetFileSize(&fileSize);
uint32_t bytesWritten;
@@ -2109,7 +2110,6 @@ nsresult nsImapService::OfflineAppendFromFile(nsIFile *aFile,
inputStream->Close();
inputStream = nullptr;
aListener->OnStopRunningUrl(aUrl, NS_OK);
- delete inputStreamBuffer;
}
offlineStore->Close();
}