From cea77b76b3fef912bd79e777f97d353aa50474b6 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Sun, 10 Nov 2019 21:59:52 -0500 Subject: Bug 1333038 - Use 'modern' pointers to fix crash due to nsMsgLineStreamBuffer object being deleted while still in use. Suspected "use after free" in nsMsgLineStreamBuffer::ReadNextLine() leading to crash since object may be destroyed while still in use on another thread. Tag #1273 --- mailnews/local/src/nsMailboxProtocol.cpp | 4 ---- mailnews/local/src/nsMailboxProtocol.h | 2 +- mailnews/local/src/nsPop3Protocol.cpp | 4 ---- mailnews/local/src/nsPop3Protocol.h | 2 +- 4 files changed, 2 insertions(+), 10 deletions(-) (limited to 'mailnews/local/src') diff --git a/mailnews/local/src/nsMailboxProtocol.cpp b/mailnews/local/src/nsMailboxProtocol.cpp index fad77aa93..0148133b3 100644 --- a/mailnews/local/src/nsMailboxProtocol.cpp +++ b/mailnews/local/src/nsMailboxProtocol.cpp @@ -50,8 +50,6 @@ PRLogModuleInfo *MAILBOX; nsMailboxProtocol::nsMailboxProtocol(nsIURI * aURI) : nsMsgProtocol(aURI) { - m_lineStreamBuffer =nullptr; - // initialize the pr log if it hasn't been initialiezed already if (!MAILBOX) MAILBOX = PR_NewLogModule("MAILBOX"); @@ -59,8 +57,6 @@ nsMailboxProtocol::nsMailboxProtocol(nsIURI * aURI) nsMailboxProtocol::~nsMailboxProtocol() { - // free our local state - delete m_lineStreamBuffer; } nsresult nsMailboxProtocol::OpenMultipleMsgTransport(uint64_t offset, int32_t size) diff --git a/mailnews/local/src/nsMailboxProtocol.h b/mailnews/local/src/nsMailboxProtocol.h index e030c8d7c..36c892069 100644 --- a/mailnews/local/src/nsMailboxProtocol.h +++ b/mailnews/local/src/nsMailboxProtocol.h @@ -74,7 +74,7 @@ private: nsCOMPtr m_mailboxParser; // Local state for the current operation - nsMsgLineStreamBuffer * m_lineStreamBuffer; // used to efficiently extract lines from the incoming data stream + RefPtr m_lineStreamBuffer; // used to efficiently extract lines from the incoming data stream // Generic state information -- What state are we in? What state do we want to go to // after the next response? What was the last response code? etc. diff --git a/mailnews/local/src/nsPop3Protocol.cpp b/mailnews/local/src/nsPop3Protocol.cpp index 825f45ab3..5d9d9145a 100644 --- a/mailnews/local/src/nsPop3Protocol.cpp +++ b/mailnews/local/src/nsPop3Protocol.cpp @@ -451,7 +451,6 @@ nsPop3Protocol::nsPop3Protocol(nsIURI* aURL) m_totalFolderSize(0), m_totalDownloadSize(0), m_totalBytesReceived(0), - m_lineStreamBuffer(nullptr), m_pop3ConData(nullptr) { } @@ -590,9 +589,6 @@ void nsPop3Protocol::Cleanup() FreeMsgInfo(); PR_Free(m_pop3ConData->only_uidl); PR_Free(m_pop3ConData); - - delete m_lineStreamBuffer; - m_lineStreamBuffer = nullptr; } void nsPop3Protocol::SetCapFlag(uint32_t flag) diff --git a/mailnews/local/src/nsPop3Protocol.h b/mailnews/local/src/nsPop3Protocol.h index a332eae84..43a8aa4e8 100644 --- a/mailnews/local/src/nsPop3Protocol.h +++ b/mailnews/local/src/nsPop3Protocol.h @@ -318,7 +318,7 @@ private: nsCOMPtr m_nsIPop3Sink; nsCOMPtr m_pop3Server; - nsMsgLineStreamBuffer * m_lineStreamBuffer; // used to efficiently extract lines from the incoming data stream + RefPtr m_lineStreamBuffer; // used to efficiently extract lines from the incoming data stream Pop3ConData* m_pop3ConData; void FreeMsgInfo(); void Abort(); -- cgit v1.2.3