codegooglecom / libproxy

Automatically exported from code.google.com/p/libproxy
GNU Lesser General Public License v2.1
0 stars 0 forks source link

crash after pacrunner failure #200

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
libproxy calls pacrunner->get() for url #1, which sets this->pr (in 
extension_pacrunner.cpp:get) and then returns the pacrunner

libproxy then calls pacrunner->get() for url #2. It sees that this->last != pac 
(because nothing ever sets this->last!), so deletes this->pr, and tries to 
create a new one. Unfortunately, this time pacrunner->create() throws an 
exception

libproxy now calls pacrunner->get() for url #3. It sees that this->last != pac, 
so deletes this->pr, but unfortunately this->pr still points to the pacrunner 
it deleted in the last step, so it ends up calling the destructor of an 
already-destroyed pacrunner, and bad things happen and it crashes.

fix:

diff -up libproxy-0.4.11/libproxy/extension_pacrunner.cpp.mozjscrash 
libproxy-0.4.11/libproxy/extension_pacrunner.cpp
--- libproxy-0.4.11/libproxy/extension_pacrunner.cpp.mozjscrash 2010-07-29 
08:14:59.000000000 -0400
+++ libproxy-0.4.11/libproxy/extension_pacrunner.cpp    2013-09-19 
09:22:13.031263766 -0400
@@ -35,6 +35,7 @@ pacrunner* pacrunner_extension::get(stri
                if (this->last == pac)
                        return this->pr;
                delete this->pr;
+               this->pr = NULL;
        }

        return this->pr = this->create(pac, pacurl);

Original issue reported on code.google.com by dan.wins...@gmail.com on 19 Sep 2013 at 2:12

GoogleCodeExporter commented 9 years ago
It is possible that this bug doesn't actually exist... the bug I was really 
trying to fix was probably issue 201. Though, based on my (poor) understanding 
of C++, it does seem like the code is wrong.

Original comment by dan.wins...@gmail.com on 11 Nov 2013 at 9:50