diff options
author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-31 19:13:37 +0000 |
---|---|---|
committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-31 19:13:37 +0000 |
commit | e67d3f76868b793a3bb00d63d491fd008f4c0b15 (patch) | |
tree | 80b56a6be18558a056a596fca328534a9cbd640b /third_party/libevent | |
parent | 061598c08b5bd8468c6377a3dce6628cd5bc3d6b (diff) | |
download | chromium_src-e67d3f76868b793a3bb00d63d491fd008f4c0b15.zip chromium_src-e67d3f76868b793a3bb00d63d491fd008f4c0b15.tar.gz chromium_src-e67d3f76868b793a3bb00d63d491fd008f4c0b15.tar.bz2 |
third_party/libevent: don't touch base unless needed.
See referenced bug. I'm assuming that we don't actually have active events
outliving the base, but just that the accesses of the base pointer outside of
the conditional were premature.
This change makes it so that we don't touch the base object unless the event
really is active. This suggests that there's no security problem here and
the crashes are those that are hitting pages that have been unmapped.
BUG=44966
TEST=Valgrind
Review URL: http://codereview.chromium.org/7096012
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87338 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party/libevent')
-rw-r--r-- | third_party/libevent/README.chromium | 2 | ||||
-rw-r--r-- | third_party/libevent/event.c | 6 |
2 files changed, 3 insertions, 5 deletions
diff --git a/third_party/libevent/README.chromium b/third_party/libevent/README.chromium index c9002be..10780cb 100644 --- a/third_party/libevent/README.chromium +++ b/third_party/libevent/README.chromium @@ -2,6 +2,7 @@ Name: libevent URL: http://www.monkey.org/~provos/libevent/ Version: 1.4.13 License: BSD +Security Critical: yes Local Modifications: Rather than use libevent's own build system, we just build a Chrome @@ -14,3 +15,4 @@ static library using GYP. 3) chromium.patch is applied to allow libevent to be used without being installed. 4) The directories WIN32-Code and WIN32-Prj are not included. +5) Apply rXXXXX (FIXME(agl): update to include eventual revision number) diff --git a/third_party/libevent/event.c b/third_party/libevent/event.c index d7ccd3f..1253352 100644 --- a/third_party/libevent/event.c +++ b/third_party/libevent/event.c @@ -778,8 +778,6 @@ int event_del(struct event *ev) { struct event_base *base; - const struct eventop *evsel; - void *evbase; event_debug(("event_del: %p, callback %p", ev, ev->ev_callback)); @@ -789,8 +787,6 @@ event_del(struct event *ev) return (-1); base = ev->ev_base; - evsel = base->evsel; - evbase = base->evbase; assert(!(ev->ev_flags & ~EVLIST_ALL)); @@ -808,7 +804,7 @@ event_del(struct event *ev) if (ev->ev_flags & EVLIST_INSERTED) { event_queue_remove(base, ev, EVLIST_INSERTED); - return (evsel->del(evbase, ev)); + return (base->evsel->del(base->evbase, ev)); } return (0); |