From cea77b76b3fef912bd79e777f97d353aa50474b6 Mon Sep 17 00:00:00 2001 From: "Matt A. Tobin" Date: Sun, 10 Nov 2019 21:59:52 -0500 Subject: Bug 1333038 - Use 'modern' pointers to fix crash due to nsMsgLineStreamBuffer object being deleted while still in use. Suspected "use after free" in nsMsgLineStreamBuffer::ReadNextLine() leading to crash since object may be destroyed while still in use on another thread. Tag #1273 --- mailnews/imap/src/nsImapMailFolder.cpp | 3 +-- mailnews/imap/src/nsImapProtocol.cpp | 1 - mailnews/imap/src/nsImapProtocol.h | 2 +- mailnews/imap/src/nsImapService.cpp | 8 ++++---- 4 files changed, 6 insertions(+), 8 deletions(-) (limited to 'mailnews/imap') diff --git a/mailnews/imap/src/nsImapMailFolder.cpp b/mailnews/imap/src/nsImapMailFolder.cpp index 4fade9d3f..da1411cd0 100644 --- a/mailnews/imap/src/nsImapMailFolder.cpp +++ b/mailnews/imap/src/nsImapMailFolder.cpp @@ -8379,7 +8379,7 @@ nsImapMailFolder::CopyFileToOfflineStore(nsIFile *srcFile, nsMsgKey msgKey) { // Now, parse the temp file to (optionally) copy to // the offline store for the cur folder. - nsMsgLineStreamBuffer *inputStreamBuffer = + RefPtr inputStreamBuffer = new nsMsgLineStreamBuffer(FILE_IO_BUFFER_SIZE, true, false); int64_t fileSize; srcFile->GetFileSize(&fileSize); @@ -8443,7 +8443,6 @@ nsImapMailFolder::CopyFileToOfflineStore(nsIFile *srcFile, nsMsgKey msgKey) notifier->NotifyMsgsClassified(messages, false, false); inputStream->Close(); inputStream = nullptr; - delete inputStreamBuffer; } if (offlineStore) offlineStore->Close(); diff --git a/mailnews/imap/src/nsImapProtocol.cpp b/mailnews/imap/src/nsImapProtocol.cpp index 5e2639a5a..20cadc25c 100644 --- a/mailnews/imap/src/nsImapProtocol.cpp +++ b/mailnews/imap/src/nsImapProtocol.cpp @@ -586,7 +586,6 @@ nsImapProtocol::~nsImapProtocol() NS_IF_RELEASE(m_flagState); PR_Free(m_dataOutputBuf); - delete m_inputStreamBuffer; // **** We must be out of the thread main loop function NS_ASSERTION(!m_imapThreadIsRunning, "Oops, thread is still running.\n"); diff --git a/mailnews/imap/src/nsImapProtocol.h b/mailnews/imap/src/nsImapProtocol.h index 5c4f43abd..32cf90e4c 100644 --- a/mailnews/imap/src/nsImapProtocol.h +++ b/mailnews/imap/src/nsImapProtocol.h @@ -323,7 +323,7 @@ private: nsCString m_serverKey; nsCString m_realHostName; char *m_dataOutputBuf; - nsMsgLineStreamBuffer * m_inputStreamBuffer; + RefPtr m_inputStreamBuffer; uint32_t m_allocatedSize; // allocated size uint32_t m_totalDataSize; // total data size uint32_t m_curReadIndex; // current read index diff --git a/mailnews/imap/src/nsImapService.cpp b/mailnews/imap/src/nsImapService.cpp index 5e097311e..1d97dec29 100644 --- a/mailnews/imap/src/nsImapService.cpp +++ b/mailnews/imap/src/nsImapService.cpp @@ -2061,9 +2061,10 @@ nsresult nsImapService::OfflineAppendFromFile(nsIFile *aFile, if (NS_SUCCEEDED(rv) && inputStream) { // now, copy the temp file to the offline store for the dest folder. - nsMsgLineStreamBuffer *inputStreamBuffer = new nsMsgLineStreamBuffer(FILE_IO_BUFFER_SIZE, - true, // allocate new lines - false); // leave CRLFs on the returned string + RefPtr inputStreamBuffer = + new nsMsgLineStreamBuffer(FILE_IO_BUFFER_SIZE, + true, // allocate new lines + false); // leave CRLFs on the returned string int64_t fileSize; aFile->GetFileSize(&fileSize); uint32_t bytesWritten; @@ -2109,7 +2110,6 @@ nsresult nsImapService::OfflineAppendFromFile(nsIFile *aFile, inputStream->Close(); inputStream = nullptr; aListener->OnStopRunningUrl(aUrl, NS_OK); - delete inputStreamBuffer; } offlineStore->Close(); } -- cgit v1.2.3