Bug 1267000 - null deref with spdy proxy. r=hurley, a=ritu
authorPatrick McManus <mcmanus@ducksong.com>
Wed, 27 Apr 2016 16:25:22 -0400
changeset 326086 5eabfc6b184e07a730a51ccc0f49f3726eb13da5
parent 326085 8cc479e6816113b4108048f3643ca1be24425f82
child 326087 c70884434329840e438734d1d35d69e77a9092c6
push id1128
push userjlund@mozilla.com
push dateWed, 01 Jun 2016 01:31:59 +0000
treeherdermozilla-release@fe0d30de989d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershurley, ritu
bugs1267000
milestone47.0
Bug 1267000 - null deref with spdy proxy. r=hurley, a=ritu
netwerk/protocol/http/SpdySession31.cpp
--- a/netwerk/protocol/http/SpdySession31.cpp
+++ b/netwerk/protocol/http/SpdySession31.cpp
@@ -2106,25 +2106,27 @@ SpdySession31::WriteSegmentsAgain(nsAHtt
   if (mDownstreamState == PROCESSING_DATA_FRAME ||
       mDownstreamState == PROCESSING_COMPLETE_HEADERS) {
 
     // The cleanup stream should only be set while stream->WriteSegments is
     // on the stack and then cleaned up in this code block afterwards.
     MOZ_ASSERT(!mNeedsCleanup, "cleanup stream set unexpectedly");
     mNeedsCleanup = nullptr;                     /* just in case */
 
+    // The writesegments() stack can clear mInputFrameDataStream so
+    // only reference this local copy of it afterwards
     SpdyStream31 *stream = mInputFrameDataStream;
     mSegmentWriter = writer;
     rv = mInputFrameDataStream->WriteSegments(this, count, countWritten);
     bool channelPipeFull = false;
     if (rv == NS_BASE_STREAM_WOULD_BLOCK) {
       LOG3(("SpdySession31::WriteSegments session=%p stream=%p 0x%X "
             "stream channel pipe full\n",
             this, stream, stream ? stream->StreamID() : 0));
-      channelPipeFull = mInputFrameDataStream->ChannelPipeFull();
+      channelPipeFull = stream->ChannelPipeFull();
     }
     mSegmentWriter = nullptr;
 
     mLastDataReadEpoch = mLastReadEpoch;
 
     if (SoftStreamError(rv)) {
       // This will happen when the transaction figures out it is EOF, generally
       // due to a content-length match being made. Return OK from this function