gnash-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] [bug #39404] invalid read from XMLNode_as::clearChildren(

From: Bastiaan Jacques
Subject: [Gnash-commit] [bug #39404] invalid read from XMLNode_as::clearChildren()
Date: Wed, 03 Jul 2013 12:55:08 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 
Update of bug #39404 (project gnash):

                Severity:           4 - Important => 6 - Security           

    _______________________________________________________

Follow-up Comment #4:

So here's my theory.

Supposing a simple parsed XML tree:

XMLobj -> child -> grandchild 

Where XMLobj is the root node, which is kept alive by AS. Let's assume XMLobj
clears its tree by parsing a new XML document. Because XMLobj owns child, it
can simply forget about child, and child will automatically be
garbage-collected because child's setReachable will no longer be called. In
turn, grandchild will also be garbage collected, because it is owned by
child.

The complication arises when a node clears its children: because not all
children are GcResources, it checks whether a child is a GcResource by testing
if it has an associated as_object, and deletes if the child doesn't.

This works fine, but this presumes that child and grandchild are
garbage-collected in order of precedence (i.e., parent first). As it turns
out, the garbage collector is just as, or perhaps more, likely to destroy
grandchild before child. And in that case, when child is deleted after
grandchild, child attempts to probe grandchild, which is already deleted.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?39404>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]