Bug 1347657 - Use array entry as value instead of reference to avoid …

…being invalidated by realloc. r=francois nsTArray::AppendElement may cause memory reallocation if out of capacity. In nsUrlClassifierStreamUpdater::FetchNextRequest(), we take the reference of the first element of mPendingRequests and pass its member as reference to DownloadUpdate(), where mPendingRequests.AppendElement will be called. If the AppendElement in DownloadUpdate() causes realloc, the reference becomes dangling. The most efficient fix is to "move" the reference's (i.e. request) member variables to DownloadUpdate() but I think in this case we can just take the value from the array and pass it around with no given that the array element contains simply a couple of strings and pointers. MozReview-Commit-ID: KEZ5d3l3HoI
JerryShih · Mar 16, 2017 · 52abba2 · 52abba2
1 parent 7b61850
commit 52abba2
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp b/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp
@@ -375,7 +375,8 @@ nsUrlClassifierStreamUpdater::FetchNextRequest()
     return NS_OK;
   }
 
-  PendingRequest &request = mPendingRequests[0];
+  PendingRequest request = mPendingRequests[0];
+  mPendingRequests.RemoveElementAt(0);
   LOG(("Stream updater: fetching next request: %s, %s",
        request.mTables.get(), request.mUrl.get()));
   bool dummy;
@@ -388,11 +389,6 @@ nsUrlClassifierStreamUpdater::FetchNextRequest()
     request.mUpdateErrorCallback,
     request.mDownloadErrorCallback,
     &dummy);
-  request.mSuccessCallback = nullptr;
-  request.mUpdateErrorCallback = nullptr;
-  request.mDownloadErrorCallback = nullptr;
-  mPendingRequests.RemoveElementAt(0);
-
   return NS_OK;
 }