forked from mirrors/gecko-dev
4641d9bef3
We were calling XML_GetCurrentColumnNumber after ParseBuffer caused Expat to consume some data. XML_GetCurrentColumnNumber uses the buffer that was last passed to Expat. Before Expat was put in an RLBox sandbox the caller of ParseBuffer would keep the data in the scanner string until after the call to XML_GetCurrentColumnNumber. Now that we copy the data into the RLBox sandbox the data is freed when the TransferBuffer in ParseBuffer goes out of scope, so in the caller of ParseBuffer the call to XML_GetCurrentColumnNumber would cause us to read freed memory inside the sandbox. Moving the call to XML_GetCurrentColumnNumber to inside ParseBuffer, when TransferBuffer is still in scope, solves the issue. Differential Revision: https://phabricator.services.mozilla.com/D141795
1 line
35 B
JavaScript
1 line
35 B
JavaScript
parent.ok(true, "Loaded script.");
|