|View Issue Details [ Jump to Notes ]||[ Issue History ] [ Print ]|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0002443||NetSurf||[All Projects] General||public||2016-03-16 08:41||2016-03-16 08:53|
|Target Version||4.0||Fixed in Version|
|Summary||0002443: form gadget lifetime is broken|
|Description||the creation of gadgets in the box tree generation may leak memory on error. The alternative is a possible double free|
|Additional Information||box creation in render/box_construct.c calls|
to obtain a gadget for a DOM node and generally puts the returned gadget on the box tree
box_select is the exception and processes the DOM nodes children. If there is an error in the child DOM node processing for any reason it abandons (partial) box creation and some error paths free the form control.
The form control returned from html_forms_get_control_for_node() should never be freed however as the return is memoised on the content->forms structure and there may be other users.
However html_forms_get_control_for_node() may create a gadget but fail to add it to content->forms if there is an error or there is not form element on the DOM. Additionally if there is an error it constructs a "fake" gadget
see render/html_forms.c around line 527 for details.
|Tags||No tags attached.|
|Fixed in CI build #|
|Reported in CI build #|
|URL of problem page|
Vincent Sanders (administrator)
|as per jmb suggestion I have reverted the currently crashing error path form control freeing and am looking for a correct solution to fix form gadget lifetimes properly.|
|2016-03-16 08:41||Vincent Sanders||New Issue|
|2016-03-16 08:53||Vincent Sanders||Note Added: 0001350|
|2016-03-16 08:53||Vincent Sanders||Status||new => confirmed|
|2016-03-16 08:53||Vincent Sanders||Additional Information Updated||View Revisions|