From 703b5fea73f9bbdb4f41aebcd75f71d32d340a2d Mon Sep 17 00:00:00 2001 From: John Mark Bell Date: Sun, 18 Mar 2007 17:09:55 +0000 Subject: Ensure content owners check that they are still interested in a content when receiving notification that the content's in error. This prevents content pointers being corrupted when redirects occur. Fixes 1522002, 1551475. svn path=/trunk/netsurf/; revision=3211 --- css/css.c | 13 ++++++++++--- render/html.c | 33 ++++++++++++++++++++++++--------- riscos/plugin.c | 9 ++++++++- 3 files changed, 42 insertions(+), 13 deletions(-) diff --git a/css/css.c b/css/css.c index 3ba3da872..589f0cc78 100644 --- a/css/css.c +++ b/css/css.c @@ -919,9 +919,16 @@ void css_atimport_callback(content_msg msg, struct content *css, #endif /* todo: handle AUTH and SSL */ case CONTENT_MSG_ERROR: - c->data.css.import_content[i] = 0; - c->active--; - content_add_error(c, "?", 0); + /* The stylesheet we were fetching may have been + * redirected, in that case, the object pointers + * will differ, so ensure that the object that's + * in error is still in use by us before invalidating + * the pointer */ + if (c->data.css.import_content[i] == css) { + c->data.css.import_content[i] = 0; + c->active--; + content_add_error(c, "?", 0); + } break; case CONTENT_MSG_STATUS: diff --git a/render/html.c b/render/html.c index db7c694cc..38c6f2181 100644 --- a/render/html.c +++ b/render/html.c @@ -920,9 +920,16 @@ void html_convert_css_callback(content_msg msg, struct content *css, break; case CONTENT_MSG_ERROR: - c->data.html.stylesheet_content[i] = 0; - c->active--; - content_add_error(c, "?", 0); + /* The stylesheet we were fetching may have been + * redirected, in that case, the object pointers + * will differ, so ensure that the object that's + * in error is still in use by us before invalidating + * the pointer */ + if (c->data.html.stylesheet_content[i] == css) { + c->data.html.stylesheet_content[i] = 0; + c->active--; + content_add_error(c, "?", 0); + } break; case CONTENT_MSG_STATUS: @@ -1161,13 +1168,21 @@ void html_object_callback(content_msg msg, struct content *object, break; case CONTENT_MSG_ERROR: - c->data.html.object[i].content = 0; - c->active--; - content_add_error(c, "?", 0); - html_set_status(c, data.error); - content_broadcast(c, CONTENT_MSG_STATUS, data); - html_object_failed(box, c, + /* The object we were fetching may have been + * redirected, in that case, the object pointers + * will differ, so ensure that the object that's + * in error is still in use by us before invalidating + * the pointer */ + if (c->data.html.object[i].content == object) { + c->data.html.object[i].content = 0; + c->active--; + content_add_error(c, "?", 0); + html_set_status(c, data.error); + content_broadcast(c, CONTENT_MSG_STATUS, + data); + html_object_failed(box, c, c->data.html.object[i].background); + } break; case CONTENT_MSG_STATUS: diff --git a/riscos/plugin.c b/riscos/plugin.c index 302651e26..57f6f6515 100644 --- a/riscos/plugin.c +++ b/riscos/plugin.c @@ -1683,7 +1683,14 @@ void plugin_stream_callback(content_msg msg, struct content *c, break; case CONTENT_MSG_ERROR: - plugin_destroy_stream(p, plugin_STREAM_DESTROY_ERROR); + /* The plugin we were fetching may have been + * redirected, in that case, the object pointers + * will differ, so ensure that the object that's + * in error is still in use by us before destroying + * the stream */ + if (p->c == c) + plugin_destroy_stream(p, + plugin_STREAM_DESTROY_ERROR); break; case CONTENT_MSG_REDIRECT: -- cgit v1.2.3