backport m-c 1510114: Fix Use-After-Free in the HTML5 Parser
parent
09ae277a2b
commit
7f7f6c6a22
|
@ -351,6 +351,12 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
|
||||||
nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu!
|
nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu!
|
||||||
|
|
||||||
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
|
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
|
||||||
|
RefPtr<nsHtml5StreamParser> streamParserGrip;
|
||||||
|
if (mParser) {
|
||||||
|
streamParserGrip = GetParser()->GetStreamParser();
|
||||||
|
}
|
||||||
|
mozilla::Unused
|
||||||
|
<< streamParserGrip; // Intentionally not used within function
|
||||||
|
|
||||||
// Remember the entry time
|
// Remember the entry time
|
||||||
(void) nsContentSink::WillParseImpl();
|
(void) nsContentSink::WillParseImpl();
|
||||||
|
@ -409,11 +415,6 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
|
||||||
mOpQueue.Clear(); // clear in order to be able to assert in destructor
|
mOpQueue.Clear(); // clear in order to be able to assert in destructor
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
// Not sure if this grip is still needed, but previously, the code
|
|
||||||
// gripped before calling ParseUntilBlocked();
|
|
||||||
RefPtr<nsHtml5StreamParser> streamKungFuDeathGrip =
|
|
||||||
GetParser()->GetStreamParser();
|
|
||||||
mozilla::Unused << streamKungFuDeathGrip; // Not used within function
|
|
||||||
// Now parse content left in the document.write() buffer queue if any.
|
// Now parse content left in the document.write() buffer queue if any.
|
||||||
// This may generate tree ops on its own or dequeue a speculation.
|
// This may generate tree ops on its own or dequeue a speculation.
|
||||||
nsresult rv = GetParser()->ParseUntilBlocked();
|
nsresult rv = GetParser()->ParseUntilBlocked();
|
||||||
|
@ -529,6 +530,12 @@ nsHtml5TreeOpExecutor::FlushDocumentWrite()
|
||||||
RefPtr<nsHtml5TreeOpExecutor> kungFuDeathGrip(this);
|
RefPtr<nsHtml5TreeOpExecutor> kungFuDeathGrip(this);
|
||||||
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
|
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
|
||||||
mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function
|
mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function
|
||||||
|
RefPtr<nsHtml5StreamParser> streamParserGrip;
|
||||||
|
if (mParser) {
|
||||||
|
streamParserGrip = GetParser()->GetStreamParser();
|
||||||
|
}
|
||||||
|
mozilla::Unused
|
||||||
|
<< streamParserGrip; // Intentionally not used within function
|
||||||
|
|
||||||
NS_ASSERTION(!mReadingFromStage,
|
NS_ASSERTION(!mReadingFromStage,
|
||||||
"Got doc write flush when reading from stage");
|
"Got doc write flush when reading from stage");
|
||||||
|
|
Loading…
Reference in New Issue