Bug 84668 - ObjcClass::methodsNamed() can leak if buffer is dynamically allocated
Summary: ObjcClass::methodsNamed() can leak if buffer is dynamically allocated
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Benjamin Poulain
URL:
Keywords:
Depends on: 84915
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-23 20:09 PDT by Benjamin Poulain
Modified: 2014-04-24 16:45 PDT (History)
3 users (show)

See Also:


Attachments
Patch (13.45 KB, patch)
2012-04-26 13:14 PDT, Benjamin Poulain
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Benjamin Poulain 2012-04-23 20:09:48 PDT
From ObjcClass::methodsNamed():

    char fixedSizeBuffer[1024];
    char* buffer = fixedSizeBuffer;
    CString jsName = identifier.ascii();
    if (!convertJSMethodNameToObjc(jsName.data(), buffer, sizeof(fixedSizeBuffer))) {
        int length = jsName.length() + 1;
        buffer = new char[length];
        if (!buffer || !convertJSMethodNameToObjc(jsName.data(), buffer, length))
            return methodList;
    }

    RetainPtr<CFStringRef> methodName(AdoptCF, CFStringCreateWithCString(NULL, buffer, kCFStringEncodingASCII));
    Method* method = (Method*)CFDictionaryGetValue(_methods.get(), methodName.get());
    if (method) {
        methodList.append(method);
        return methodList;
    }

If the second convertJSMethodNameToObjc() return false, or if the the dictionary match the method name, buffer is never released.
Comment 1 Benjamin Poulain 2012-04-26 13:14:16 PDT
Created attachment 139054 [details]
Patch
Comment 2 Benjamin Poulain 2012-04-26 14:06:59 PDT
Comment on attachment 139054 [details]
Patch

Clearing flags on attachment: 139054

Committed r115358: <http://trac.webkit.org/changeset/115358>
Comment 3 Benjamin Poulain 2012-04-26 14:07:02 PDT
All reviewed patches have been landed.  Closing bug.
Comment 4 Darin Adler 2014-04-24 16:45:30 PDT
Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue.