From 0c9d0e2f876e185884747855277d3e89e6fbc421 Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Fri, 23 Nov 2018 09:09:18 -1000
Subject: [PATCH] Bug 1509562 Part 2 - Avoid UAF when resetting middleman
 calls, r=lsmyth.

--HG--
extra : rebase_source : 9b293c766746741b5835b924b89f246ce557f4c4
---
 toolkit/recordreplay/MiddlemanCall.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/toolkit/recordreplay/MiddlemanCall.cpp b/toolkit/recordreplay/MiddlemanCall.cpp
index 9f6d0a01425b..c3863cb4378d 100644
--- a/toolkit/recordreplay/MiddlemanCall.cpp
+++ b/toolkit/recordreplay/MiddlemanCall.cpp
@@ -224,16 +224,21 @@ ResetMiddlemanCalls()
 
       MiddlemanCallContext cx(call, &arguments, MiddlemanCallPhase::MiddlemanRelease);
       GetRedirection(call->mCallId).mMiddlemanCall(cx);
-
-      delete call;
     }
   }
 
+  // Delete the calls in a second pass. The MiddlemanRelease phase depends on
+  // previous middleman calls still existing.
+  for (MiddlemanCall* call : gMiddlemanCalls) {
+    delete call;
+  }
+
   gMiddlemanCalls.clear();
   for (auto buffer : gAllocatedBuffers) {
     free(buffer);
   }
   gAllocatedBuffers.clear();
+  gMiddlemanCallMap->clear();
 }
 
 ///////////////////////////////////////////////////////////////////////////////