backport m-c 1510114: Fix Use-After-Free in the HTML5 Parser
This commit is contained in:
parent
09ae277a2b
commit
7f7f6c6a22
|
@ -351,6 +351,12 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
|
|||
nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu!
|
||||
|
||||
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
|
||||
RefPtr<nsHtml5StreamParser> streamParserGrip;
|
||||
if (mParser) {
|
||||
streamParserGrip = GetParser()->GetStreamParser();
|
||||
}
|
||||
mozilla::Unused
|
||||
<< streamParserGrip; // Intentionally not used within function
|
||||
|
||||
// Remember the entry time
|
||||
(void) nsContentSink::WillParseImpl();
|
||||
|
@ -409,11 +415,6 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
|
|||
mOpQueue.Clear(); // clear in order to be able to assert in destructor
|
||||
return;
|
||||
}
|
||||
// Not sure if this grip is still needed, but previously, the code
|
||||
// gripped before calling ParseUntilBlocked();
|
||||
RefPtr<nsHtml5StreamParser> streamKungFuDeathGrip =
|
||||
GetParser()->GetStreamParser();
|
||||
mozilla::Unused << streamKungFuDeathGrip; // Not used within function
|
||||
// Now parse content left in the document.write() buffer queue if any.
|
||||
// This may generate tree ops on its own or dequeue a speculation.
|
||||
nsresult rv = GetParser()->ParseUntilBlocked();
|
||||
|
@ -529,6 +530,12 @@ nsHtml5TreeOpExecutor::FlushDocumentWrite()
|
|||
RefPtr<nsHtml5TreeOpExecutor> kungFuDeathGrip(this);
|
||||
RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
|
||||
mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function
|
||||
RefPtr<nsHtml5StreamParser> streamParserGrip;
|
||||
if (mParser) {
|
||||
streamParserGrip = GetParser()->GetStreamParser();
|
||||
}
|
||||
mozilla::Unused
|
||||
<< streamParserGrip; // Intentionally not used within function
|
||||
|
||||
NS_ASSERTION(!mReadingFromStage,
|
||||
"Got doc write flush when reading from stage");
|
||||
|
|
Loading…
Reference in New Issue