summaryrefslogtreecommitdiff
path: root/parser/html
diff options
context:
space:
mode:
authorGaming4JC <g4jc@hyperbola.info>2019-05-04 18:42:29 -0400
committerGaming4JC <g4jc@hyperbola.info>2019-05-04 18:42:29 -0400
commit4ed4303dd11f61123a93faf8e9c6cbe69f2349c9 (patch)
treef7151af3381735036520dabaffb878ef90510a44 /parser/html
parentaa4055cb420d23ae105c39b2f13d68352a9fad36 (diff)
downloaduxp-4ed4303dd11f61123a93faf8e9c6cbe69f2349c9.tar.gz
backport m-c 1510114: Fix Use-After-Free in the HTML5 Parser
Fixes #1076
Diffstat (limited to 'parser/html')
-rw-r--r--parser/html/nsHtml5TreeOpExecutor.cpp17
1 files changed, 12 insertions, 5 deletions
diff --git a/parser/html/nsHtml5TreeOpExecutor.cpp b/parser/html/nsHtml5TreeOpExecutor.cpp
index 4684496985..5c3f32d6fb 100644
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@@ -351,6 +351,12 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu!
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
+ RefPtr<nsHtml5StreamParser> streamParserGrip;
+ if (mParser) {
+ streamParserGrip = GetParser()->GetStreamParser();
+ }
+ mozilla::Unused
+ << streamParserGrip; // Intentionally not used within function
// Remember the entry time
(void) nsContentSink::WillParseImpl();
@@ -409,11 +415,6 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
mOpQueue.Clear(); // clear in order to be able to assert in destructor
return;
}
- // Not sure if this grip is still needed, but previously, the code
- // gripped before calling ParseUntilBlocked();
- RefPtr<nsHtml5StreamParser> streamKungFuDeathGrip =
- GetParser()->GetStreamParser();
- mozilla::Unused << streamKungFuDeathGrip; // Not used within function
// Now parse content left in the document.write() buffer queue if any.
// This may generate tree ops on its own or dequeue a speculation.
nsresult rv = GetParser()->ParseUntilBlocked();
@@ -529,6 +530,12 @@ nsHtml5TreeOpExecutor::FlushDocumentWrite()
RefPtr<nsHtml5TreeOpExecutor> kungFuDeathGrip(this);
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function
+ RefPtr<nsHtml5StreamParser> streamParserGrip;
+ if (mParser) {
+ streamParserGrip = GetParser()->GetStreamParser();
+ }
+ mozilla::Unused
+ << streamParserGrip; // Intentionally not used within function
NS_ASSERTION(!mReadingFromStage,
"Got doc write flush when reading from stage");