Bug 1347657 - Use array entry as value instead of reference to avoid …

…being invalidated by realloc. r=francois nsTArray::AppendElement may cause memory reallocation if out of capacity. In nsUrlClassifierStreamUpdater::FetchNextRequest(), we take the reference of the first element of mPendingRequests and pass its member as reference to DownloadUpdate(), where mPendingRequests.AppendElement will be called. If the AppendElement in DownloadUpdate() causes realloc, the reference becomes dangling. The most efficient fix is to "move" the reference's (i.e. request) member variables to DownloadUpdate() but I think in this case we can just take the value from the array and pass it around with no given that the array element contains simply a couple of strings and pointers. MozReview-Commit-ID: KEZ5d3l3HoI UltraBlame original commit: 2d4a86ef46e9b45b516165ff624068fbcc4493ce
marco-c · Oct 1, 2019 · cab5a6e · cab5a6e
1 parent f2f685b
commit cab5a6e
Showing 1 changed file with 7 additions and 26 deletions.
diff --git a/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp b/toolkit/components/url-classifier/nsUrlClassifierStreamUpdater.cpp
@@ -2503,14 +2503,20 @@ NS_OK
 ;
 }
 PendingRequest
-&
 request
 =
 mPendingRequests
 [
 0
 ]
 ;
+mPendingRequests
+.
+RemoveElementAt
+(
+0
+)
+;
 LOG
 (
 (
@@ -2574,31 +2580,6 @@ mDownloadErrorCallback
 dummy
 )
 ;
-request
-.
-mSuccessCallback
-=
-nullptr
-;
-request
-.
-mUpdateErrorCallback
-=
-nullptr
-;
-request
-.
-mDownloadErrorCallback
-=
-nullptr
-;
-mPendingRequests
-.
-RemoveElementAt
-(
-0
-)
-;
 return
 NS_OK
 ;