From 7f7f6c6a22927339ea68ffca8196b68b08c0b516 Mon Sep 17 00:00:00 2001 From: Fedor Date: Mon, 8 Jul 2019 13:08:10 +0300 Subject: [PATCH] backport m-c 1510114: Fix Use-After-Free in the HTML5 Parser --- parser/html/nsHtml5TreeOpExecutor.cpp | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp index 468449698..5c3f32d6f 100644 --- a/parser/html/nsHtml5TreeOpExecutor.cpp +++ b/parser/html/nsHtml5TreeOpExecutor.cpp @@ -351,6 +351,12 @@ nsHtml5TreeOpExecutor::RunFlushLoop() nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu! RefPtr parserKungFuDeathGrip(mParser); + RefPtr streamParserGrip; + if (mParser) { + streamParserGrip = GetParser()->GetStreamParser(); + } + mozilla::Unused + << streamParserGrip; // Intentionally not used within function // Remember the entry time (void) nsContentSink::WillParseImpl(); @@ -409,11 +415,6 @@ nsHtml5TreeOpExecutor::RunFlushLoop() mOpQueue.Clear(); // clear in order to be able to assert in destructor return; } - // Not sure if this grip is still needed, but previously, the code - // gripped before calling ParseUntilBlocked(); - RefPtr streamKungFuDeathGrip = - GetParser()->GetStreamParser(); - mozilla::Unused << streamKungFuDeathGrip; // Not used within function // Now parse content left in the document.write() buffer queue if any. // This may generate tree ops on its own or dequeue a speculation. nsresult rv = GetParser()->ParseUntilBlocked(); @@ -529,6 +530,12 @@ nsHtml5TreeOpExecutor::FlushDocumentWrite() RefPtr kungFuDeathGrip(this); RefPtr parserKungFuDeathGrip(mParser); mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function + RefPtr streamParserGrip; + if (mParser) { + streamParserGrip = GetParser()->GetStreamParser(); + } + mozilla::Unused + << streamParserGrip; // Intentionally not used within function NS_ASSERTION(!mReadingFromStage, "Got doc write flush when reading from stage");