backport m-c 1510114: Fix Use-After-Free in the HTML5 Parser

2019-07-08 13:08:10 +03:00 · 2019-07-08 13:08:10 +03:00 · 7f7f6c6a22
parent 09ae277a2b
commit 7f7f6c6a22
1 changed files with 12 additions and 5 deletions
--- a/parser/html/nsHtml5TreeOpExecutor.cpp
+++ b/parser/html/nsHtml5TreeOpExecutor.cpp
@ -351,6 +351,12 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
  nsHtml5FlushLoopGuard guard(this); // this is also the self-kungfu!
  
  RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
+  RefPtr<nsHtml5StreamParser> streamParserGrip;
+  if (mParser) {
+    streamParserGrip = GetParser()->GetStreamParser();
+  }
+  mozilla::Unused
+      << streamParserGrip;  // Intentionally not used within function

  // Remember the entry time
  (void) nsContentSink::WillParseImpl();
@ -409,11 +415,6 @@ nsHtml5TreeOpExecutor::RunFlushLoop()
        mOpQueue.Clear(); // clear in order to be able to assert in destructor
        return;
      }
-      // Not sure if this grip is still needed, but previously, the code
-      // gripped before calling ParseUntilBlocked();
-      RefPtr<nsHtml5StreamParser> streamKungFuDeathGrip = 
-        GetParser()->GetStreamParser();
-      mozilla::Unused << streamKungFuDeathGrip; // Not used within function
      // Now parse content left in the document.write() buffer queue if any.
      // This may generate tree ops on its own or dequeue a speculation.
      nsresult rv = GetParser()->ParseUntilBlocked();
@ -529,6 +530,12 @@ nsHtml5TreeOpExecutor::FlushDocumentWrite()
  RefPtr<nsHtml5TreeOpExecutor> kungFuDeathGrip(this);
  RefPtr<nsParserBase> parserKungFuDeathGrip(mParser);
  mozilla::Unused << parserKungFuDeathGrip; // Intentionally not used within function
+  RefPtr<nsHtml5StreamParser> streamParserGrip;
+  if (mParser) {
+    streamParserGrip = GetParser()->GetStreamParser();
+  }
+  mozilla::Unused
+      << streamParserGrip;  // Intentionally not used within function

  NS_ASSERTION(!mReadingFromStage,
    "Got doc write flush when reading from stage");