summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMoonchild <mcwerewolf@wolfbeast.com>2019-05-05 13:33:32 +0000
committerGitHub <noreply@github.com>2019-05-05 13:33:32 +0000
commitd0f1f53e59e5f4d0088b8f83a0f5c450f25e0dff (patch)
treef7151af3381735036520dabaffb878ef90510a44
parentaa4055cb420d23ae105c39b2f13d68352a9fad36 (diff)
parent4ed4303dd11f61123a93faf8e9c6cbe69f2349c9 (diff)
downloadUXP-d0f1f53e59e5f4d0088b8f83a0f5c450f25e0dff.tar
UXP-d0f1f53e59e5f4d0088b8f83a0f5c450f25e0dff.tar.gz
UXP-d0f1f53e59e5f4d0088b8f83a0f5c450f25e0dff.tar.lz
UXP-d0f1f53e59e5f4d0088b8f83a0f5c450f25e0dff.tar.xz
UXP-d0f1f53e59e5f4d0088b8f83a0f5c450f25e0dff.zip
Merge pull request #1077 from g4jc/cve_2018_18500
Fix Use-After-Free in the HTML5 Parser (DiD)
Diffstat
-rw-r--r--parser/html/nsHtml5TreeOpExecutor.cpp17
1 files changed, 12 insertions, 5 deletions
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp
index 468449698..5c3f32d6f 100644
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -351,6 +351,12 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu!
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
+ RefPtr<nsHtml5StreamParser> streamParserGrip;
+ if (mParser) {
+ streamParserGrip = GetParser()->GetStreamParser();
+ }
+ mozilla::Unused
+ << streamParserGrip; // Intentionally not used within function
// Remember the entry time
(void) nsContentSink::WillParseImpl();
@@ -409,11 +415,6 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
mOpQueue.Clear(); // clear in order to be able to assert in destructor
return;
}
- // Not sure if this grip is still needed, but previously, the code
- // gripped before calling ParseUntilBlocked();
- RefPtr<nsHtml5StreamParser> streamKungFuDeathGrip =
- GetParser()->GetStreamParser();
- mozilla::Unused << streamKungFuDeathGrip; // Not used within function
// Now parse content left in the document.write() buffer queue if any.
// This may generate tree ops on its own or dequeue a speculation.
nsresult rv = GetParser()->ParseUntilBlocked();
@@ -529,6 +530,12 @@ nsHtml5TreeOpExecutor::FlushDocumentWrite()
RefPtr<nsHtml5TreeOpExecutor> kungFuDeathGrip(this);
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function
+ RefPtr<nsHtml5StreamParser> streamParserGrip;
+ if (mParser) {
+ streamParserGrip = GetParser()->GetStreamParser();
+ }
+ mozilla::Unused
+ << streamParserGrip; // Intentionally not used within function
NS_ASSERTION(!mReadingFromStage,
"Got doc write flush when reading from stage");
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-10 14:50:46 +0000