MantisBT - NetSurf | |||||
View Issue Details | |||||
ID | Project | Category | View Status | Date Submitted | Last Update |
0002443 | NetSurf | [All Projects] General | public | 2016-03-16 08:41 | 2016-03-16 08:53 |
Reporter | Vincent Sanders | ||||
---|---|---|---|---|---|
Assigned To | |||||
Priority | normal | Severity | block | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Platform | OS | OS Version | |||
Product Version | 3.5 | ||||
Target Version | 4.0 | Fixed in Version | |||
Fixed in CI build # | |||||
Reported in CI build # | |||||
URL of problem page | |||||
Summary | 0002443: form gadget lifetime is broken | ||||
Description | the creation of gadgets in the box tree generation may leak memory on error. The alternative is a possible double free | ||||
Additional Information | box creation in render/box_construct.c calls html_forms_get_control_for_node(content->forms, n); to obtain a gadget for a DOM node and generally puts the returned gadget on the box tree box_select is the exception and processes the DOM nodes children. If there is an error in the child DOM node processing for any reason it abandons (partial) box creation and some error paths free the form control. The form control returned from html_forms_get_control_for_node() should never be freed however as the return is memoised on the content->forms structure and there may be other users. However html_forms_get_control_for_node() may create a gadget but fail to add it to content->forms if there is an error or there is not form element on the DOM. Additionally if there is an error it constructs a "fake" gadget see render/html_forms.c around line 527 for details. | ||||
Tags | No tags attached. | ||||
Relationships | |||||
Attached Files |
Notes | |||||
|
|||||
|
|
Issue History | |||||
Date Modified | Username | Field | Change | ||
---|---|---|---|---|---|
2016-03-16 08:41 | Vincent Sanders | New Issue | |||
2016-03-16 08:53 | Vincent Sanders | Note Added: 0001350 | |||
2016-03-16 08:53 | Vincent Sanders | Status | new => confirmed | ||
2016-03-16 08:53 | Vincent Sanders | Additional Information Updated | bug_revision_view_page.php?rev_id=1847#r1847 |