From d85187fe3f465fa7b5ee350442499173151b56aa Mon Sep 17 00:00:00 2001
From: Thomas Barber <thomas.barber@sap.com>
Date: Fri, 23 Feb 2024 08:59:26 +0000
Subject: [PATCH] Foxhound: Fixing memory leak due to untidy StringTaints

---
 dom/base/Element.cpp                | 2 +-
 parser/html/nsHtml5StreamParser.cpp | 4 ++--
 parser/html/nsHtml5TreeBuilder.cpp  | 1 +
 parser/html/nsHtml5UTF16Buffer.h    | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/dom/base/Element.cpp b/dom/base/Element.cpp
index 627fa6d29f505..f2c37c5179c3f 100644
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@@ -5055,7 +5055,7 @@ void Element::TaintSelectorOperation(const char* operation, const nsAString& aEl
   // Here we want to save a list of all selector operations performed on the element
 
   // Check if there is a direct flow
-  const StringTaint aTaint = aElementId.Taint();
+  const StringTaint& aTaint = aElementId.Taint();
   TaintFlow flow;
   if (aTaint.hasTaint()) {
     // Take the first range
diff --git a/parser/html/nsHtml5StreamParser.cpp b/parser/html/nsHtml5StreamParser.cpp
index a7bebd9b33ab0..dce8624fc04fa 100644
--- a/parser/html/nsHtml5StreamParser.cpp
+++ b/parser/html/nsHtml5StreamParser.cpp
@@ -1642,7 +1642,7 @@ nsresult nsHtml5StreamParser::OnDataAvailable(nsIRequest* aRequest,
       return mExecutor->MarkAsBroken(NS_ERROR_OUT_OF_MEMORY);
     }
     Buffer<uint8_t> data(std::move(*maybe));
-    StringTaint taint;
+    SafeStringTaint taint;
     if (taintInputStream) {
         rv = taintInputStream->TaintedRead(reinterpret_cast<char*>(data.Elements()),
                                            data.Length(), &taint, &totalRead);
@@ -1684,7 +1684,7 @@ nsresult nsHtml5StreamParser::OnDataAvailable(nsIRequest* aRequest,
         return NS_ERROR_OUT_OF_MEMORY;
       }
       Buffer<uint8_t> data(std::move(*maybe));
-      StringTaint taint;
+      SafeStringTaint taint;
 
       if (taintInputStream) {
         rv = taintInputStream->TaintedRead(reinterpret_cast<char*>(data.Elements()),
diff --git a/parser/html/nsHtml5TreeBuilder.cpp b/parser/html/nsHtml5TreeBuilder.cpp
index 599a274de0542..3f40fde512343 100644
--- a/parser/html/nsHtml5TreeBuilder.cpp
+++ b/parser/html/nsHtml5TreeBuilder.cpp
@@ -146,6 +146,7 @@ void nsHtml5TreeBuilder::startTokenization(nsHtml5Tokenizer* self) {
   charBufferLen = 0;
   charBuffer = nullptr;
   framesetOk = true;
+  charTaint.clear();
   if (fragment) {
     nsIContentHandle* elt;
     if (contextNode) {
diff --git a/parser/html/nsHtml5UTF16Buffer.h b/parser/html/nsHtml5UTF16Buffer.h
index 0146364a49f91..091619a691d19 100644
--- a/parser/html/nsHtml5UTF16Buffer.h
+++ b/parser/html/nsHtml5UTF16Buffer.h
@@ -59,7 +59,7 @@ class nsHtml5Portability;
 class nsHtml5UTF16Buffer {
  private:
   char16_t* buffer;
-  StringTaint taint;
+  SafeStringTaint taint;
   int32_t start;
   int32_t end;