Bug 1267000 - null deref with spdy proxy. r=hurley, a=ritu
authorPatrick McManus <mcmanus@ducksong.com>
Wed, 27 Apr 2016 16:25:22 -0400
changeset 332640 a48ee51d763144e79f666975501c15f0dda7af7c
parent 332639 31c52d84503f2273fe794cfa8ea7e5bcaabc19ee
child 332641 c81c8dd00dcc17e03b2cce6264d4c8a110c76a9c
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershurley, ritu
bugs1267000
milestone48.0a2
Bug 1267000 - null deref with spdy proxy. r=hurley, a=ritu
netwerk/protocol/http/SpdySession31.cpp
--- a/netwerk/protocol/http/SpdySession31.cpp
+++ b/netwerk/protocol/http/SpdySession31.cpp
@@ -2106,25 +2106,27 @@ SpdySession31::WriteSegmentsAgain(nsAHtt
   if (mDownstreamState == PROCESSING_DATA_FRAME ||
       mDownstreamState == PROCESSING_COMPLETE_HEADERS) {
 
     // The cleanup stream should only be set while stream->WriteSegments is
     // on the stack and then cleaned up in this code block afterwards.
     MOZ_ASSERT(!mNeedsCleanup, "cleanup stream set unexpectedly");
     mNeedsCleanup = nullptr;                     /* just in case */
 
+    // The writesegments() stack can clear mInputFrameDataStream so
+    // only reference this local copy of it afterwards
     SpdyStream31 *stream = mInputFrameDataStream;
     mSegmentWriter = writer;
     rv = mInputFrameDataStream->WriteSegments(this, count, countWritten);
     bool channelPipeFull = false;
     if (rv == NS_BASE_STREAM_WOULD_BLOCK) {
       LOG3(("SpdySession31::WriteSegments session=%p stream=%p 0x%X "
             "stream channel pipe full\n",
             this, stream, stream ? stream->StreamID() : 0));
-      channelPipeFull = mInputFrameDataStream->ChannelPipeFull();
+      channelPipeFull = stream->ChannelPipeFull();
     }
     mSegmentWriter = nullptr;
 
     mLastDataReadEpoch = mLastReadEpoch;
 
     if (SoftStreamError(rv)) {
       // This will happen when the transaction figures out it is EOF, generally
       // due to a content-length match being made. Return OK from this function