2024-07-15 13:42 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002443NetSurf[All Projects] Generalpublic2016-03-16 08:53
ReporterVincent Sanders 
Assigned To 
Product Version3.5 
Target Version4.0Fixed in Version 
Summary0002443: form gadget lifetime is broken
Descriptionthe creation of gadgets in the box tree generation may leak memory on error. The alternative is a possible double free
Additional Informationbox creation in render/box_construct.c calls

html_forms_get_control_for_node(content->forms, n);

to obtain a gadget for a DOM node and generally puts the returned gadget on the box tree

box_select is the exception and processes the DOM nodes children. If there is an error in the child DOM node processing for any reason it abandons (partial) box creation and some error paths free the form control.

The form control returned from html_forms_get_control_for_node() should never be freed however as the return is memoised on the content->forms structure and there may be other users.

However html_forms_get_control_for_node() may create a gadget but fail to add it to content->forms if there is an error or there is not form element on the DOM. Additionally if there is an error it constructs a "fake" gadget

see render/html_forms.c around line 527 for details.
TagsNo tags attached.
Fixed in CI build #
Reported in CI build #
URL of problem page
Attached Files


Vincent Sanders


Vincent Sanders (administrator)

as per jmb suggestion I have reverted the currently crashing error path form control freeing and am looking for a correct solution to fix form gadget lifetimes properly.

-Issue History
Date Modified Username Field Change
2016-03-16 08:41 Vincent Sanders New Issue
2016-03-16 08:53 Vincent Sanders Note Added: 0001350
2016-03-16 08:53 Vincent Sanders Status new => confirmed
2016-03-16 08:53 Vincent Sanders Additional Information Updated View Revisions
+Issue History