mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1310556 - keep |this| alive to avoid UAF. r=JamesCheng 

MozReview-Commit-ID: 19glCcrheru

--HG--
extra : rebase_source : 30f97dea9b0433d27573bfb93b2d880cc9056f80
This commit is contained in:
JW Wang 2016-10-17 14:23:52 +08:00
Родитель 4ba6bbd9e5
Коммит 4bec362935
1 изменённых файлов: 7 добавлений и 6 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

13
dom/media/MediaDecoderStateMachine.cpp
Просмотреть файл

@ -248,8 +248,13 @@ public:
SLOG("change state to: %s", ToStateStr(s->GetState())); SLOG("change state to: %s", ToStateStr(s->GetState()));
Exit(); Exit();
// Note |aArgs| might reference data members of |this|. We need to keep
// |this| alive until |s->Enter()| returns.
UniquePtr<StateObject> deathGrip(master->mStateObj.release());
master->mState = s->GetState(); master->mState = s->GetState();
master->mStateObj.reset(s); // Will delete |this|! master->mStateObj.reset(s);
return s->Enter(Forward<Ts>(aArgs)...); return s->Enter(Forward<Ts>(aArgs)...);
} }
@ -982,11 +987,7 @@ DecodeMetadataState::OnMetadataRead(MetadataHolder* aMetadata)
if (waitingForCDM) { if (waitingForCDM) {
// Metadata parsing was successful but we're still waiting for CDM caps // Metadata parsing was successful but we're still waiting for CDM caps
// to become available so that we can build the correct decryptor/decoder. // to become available so that we can build the correct decryptor/decoder.
SetState<WaitForCDMState>(mPendingDormant);
// FIXME: passing data members to SetState() will cause UAF because |this|
// is deleted before the call to newState::Enter().
bool pendingDormant = mPendingDormant;
SetState<WaitForCDMState>(pendingDormant);
} else if (mPendingDormant) { } else if (mPendingDormant) {
SetState<DormantState>(); SetState<DormantState>();
} else { } else {