Bug 896242. Fix possible crash due to dangling pointer to nsPluginElement. r=mccr8

--- dom/base/nsPluginArray.cpp | 24 +++++++++++++++++++----- dom/base/nsPluginArray.h | 1 + 2 files changed, 20 insertions(+), 5 deletions(-)
2024-09-13 09:24:08 -07:00 · 2013-07-24 23:33:21 -07:00 · 2013-07-24 23:33:21 -07:00 · a84c568ed5
commit a84c568ed5
parent b3d76cccc1
2 changed files with 20 additions and 5 deletions
--- a/dom/base/nsPluginArray.cpp
+++ b/dom/base/nsPluginArray.cpp
@ -282,8 +282,16 @@ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsPluginElement)
  NS_INTERFACE_MAP_ENTRY(nsISupports)
 NS_INTERFACE_MAP_END

-NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE_1(nsPluginElement,
-                                        mMimeTypes)
+NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(nsPluginElement)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
+  // Invalidate before we unlink mMimeTypes
+  tmp->Invalidate();
+  NS_IMPL_CYCLE_COLLECTION_UNLINK(mMimeTypes)
+NS_IMPL_CYCLE_COLLECTION_UNLINK_END
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(nsPluginElement)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
+NS_IMPL_CYCLE_COLLECTION_TRACE_WRAPPERCACHE(nsPluginElement)

 nsPluginElement::nsPluginElement(nsWeakPtr aWindow,
                                 nsPluginTag* aPluginTag)
@ -295,9 +303,7 @@ nsPluginElement::nsPluginElement(nsWeakPtr aWindow,

 nsPluginElement::~nsPluginElement()
 {
-  for (uint32_t i = 0; i < mMimeTypes.Length(); ++i) {
-    mMimeTypes[i]->Invalidate();
-  }
+  Invalidate();
 }

 nsPIDOMWindow*
@ -419,3 +425,11 @@ nsPluginElement::EnsureMimeTypes()
    mMimeTypes.AppendElement(new nsMimeType(mWindow, this, i, type));
  }
 }
+
+void
+nsPluginElement::Invalidate()
+{
+  for (uint32_t i = 0; i < mMimeTypes.Length(); ++i) {
+    mMimeTypes[i]->Invalidate();
+  }
+}
--- a/dom/base/nsPluginArray.h
+++ b/dom/base/nsPluginArray.h
@ -102,6 +102,7 @@ public:

 protected:
  void EnsureMimeTypes();
+  void Invalidate();

  nsWeakPtr mWindow;
  nsRefPtr<nsPluginTag> mPluginTag;