| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/indexed_db/indexed_db_backing_store.h" | 5 #include "content/browser/indexed_db/indexed_db_backing_store.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/files/file_util.h" | 10 #include "base/files/file_util.h" |
| (...skipping 2224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2235 typedef IndexedDBBackingStore::Transaction::WriteDescriptorVec | 2235 typedef IndexedDBBackingStore::Transaction::WriteDescriptorVec |
| 2236 WriteDescriptorVec; | 2236 WriteDescriptorVec; |
| 2237 ChainedBlobWriterImpl( | 2237 ChainedBlobWriterImpl( |
| 2238 int64 database_id, | 2238 int64 database_id, |
| 2239 IndexedDBBackingStore* backing_store, | 2239 IndexedDBBackingStore* backing_store, |
| 2240 WriteDescriptorVec* blobs, | 2240 WriteDescriptorVec* blobs, |
| 2241 scoped_refptr<IndexedDBBackingStore::BlobWriteCallback> callback) | 2241 scoped_refptr<IndexedDBBackingStore::BlobWriteCallback> callback) |
| 2242 : waiting_for_callback_(false), | 2242 : waiting_for_callback_(false), |
| 2243 database_id_(database_id), | 2243 database_id_(database_id), |
| 2244 backing_store_(backing_store), | 2244 backing_store_(backing_store), |
| 2245 callback_(callback), | 2245 callback_(callback) { |
| 2246 aborted_(false) { | |
| 2247 blobs_.swap(*blobs); | 2246 blobs_.swap(*blobs); |
| 2248 iter_ = blobs_.begin(); | 2247 iter_ = blobs_.begin(); |
| 2249 backing_store->task_runner()->PostTask( | 2248 backing_store->task_runner()->PostTask( |
| 2250 FROM_HERE, base::Bind(&ChainedBlobWriterImpl::WriteNextFile, this)); | 2249 FROM_HERE, base::Bind(&ChainedBlobWriterImpl::WriteNextFile, this)); |
| 2251 } | 2250 } |
| 2252 | 2251 |
| 2253 void set_delegate(scoped_ptr<FileWriterDelegate> delegate) override { | 2252 void set_delegate(scoped_ptr<FileWriterDelegate> delegate) override { |
| 2254 delegate_.reset(delegate.release()); | 2253 delegate_.reset(delegate.release()); |
| 2255 } | 2254 } |
| 2256 | 2255 |
| 2257 void ReportWriteCompletion(bool succeeded, int64 bytes_written) override { | 2256 void ReportWriteCompletion(bool succeeded, int64 bytes_written) override { |
| 2258 DCHECK(waiting_for_callback_); | 2257 DCHECK(waiting_for_callback_); |
| 2259 DCHECK(!succeeded || bytes_written >= 0); | 2258 DCHECK(!succeeded || bytes_written >= 0); |
| 2260 waiting_for_callback_ = false; | 2259 waiting_for_callback_ = false; |
| 2261 if (delegate_.get()) // Only present for Blob, not File. | 2260 if (delegate_.get()) // Only present for Blob, not File. |
| 2262 content::BrowserThread::DeleteSoon( | 2261 content::BrowserThread::DeleteSoon( |
| 2263 content::BrowserThread::IO, FROM_HERE, delegate_.release()); | 2262 content::BrowserThread::IO, FROM_HERE, delegate_.release()); |
| 2264 if (aborted_) { | 2263 if (aborted_self_ref_.get()) { |
| 2265 self_ref_ = NULL; | 2264 aborted_self_ref_ = NULL; |
| 2266 return; | 2265 return; |
| 2267 } | 2266 } |
| 2268 if (iter_->size() != -1 && iter_->size() != bytes_written) | 2267 if (iter_->size() != -1 && iter_->size() != bytes_written) |
| 2269 succeeded = false; | 2268 succeeded = false; |
| 2270 if (succeeded) { | 2269 if (succeeded) { |
| 2271 ++iter_; | 2270 ++iter_; |
| 2272 WriteNextFile(); | 2271 WriteNextFile(); |
| 2273 } else { | 2272 } else { |
| 2274 callback_->Run(false); | 2273 callback_->Run(false); |
| 2275 } | 2274 } |
| 2276 } | 2275 } |
| 2277 | 2276 |
| 2278 void Abort() override { | 2277 void Abort() override { |
| 2279 if (!waiting_for_callback_) | 2278 if (!waiting_for_callback_) |
| 2280 return; | 2279 return; |
| 2281 self_ref_ = this; | 2280 aborted_self_ref_ = this; |
| 2282 aborted_ = true; | |
| 2283 } | 2281 } |
| 2284 | 2282 |
| 2285 private: | 2283 private: |
| 2286 ~ChainedBlobWriterImpl() override {} | 2284 ~ChainedBlobWriterImpl() override { DCHECK(!waiting_for_callback_); } |
| 2287 | 2285 |
| 2288 void WriteNextFile() { | 2286 void WriteNextFile() { |
| 2289 DCHECK(!waiting_for_callback_); | 2287 DCHECK(!waiting_for_callback_); |
| 2290 DCHECK(!aborted_); | 2288 DCHECK(!aborted_self_ref_.get()); |
| 2291 if (iter_ == blobs_.end()) { | 2289 if (iter_ == blobs_.end()) { |
| 2292 DCHECK(!self_ref_.get()); | |
| 2293 callback_->Run(true); | 2290 callback_->Run(true); |
| 2294 return; | 2291 return; |
| 2295 } else { | 2292 } else { |
| 2293 waiting_for_callback_ = true; |
| 2296 if (!backing_store_->WriteBlobFile(database_id_, *iter_, this)) { | 2294 if (!backing_store_->WriteBlobFile(database_id_, *iter_, this)) { |
| 2295 waiting_for_callback_ = false; |
| 2297 callback_->Run(false); | 2296 callback_->Run(false); |
| 2298 return; | 2297 return; |
| 2299 } | 2298 } |
| 2300 waiting_for_callback_ = true; | |
| 2301 } | 2299 } |
| 2302 } | 2300 } |
| 2303 | 2301 |
| 2304 bool waiting_for_callback_; | 2302 bool waiting_for_callback_; |
| 2305 scoped_refptr<ChainedBlobWriterImpl> self_ref_; | 2303 scoped_refptr<ChainedBlobWriterImpl> aborted_self_ref_; |
| 2306 WriteDescriptorVec blobs_; | 2304 WriteDescriptorVec blobs_; |
| 2307 WriteDescriptorVec::const_iterator iter_; | 2305 WriteDescriptorVec::const_iterator iter_; |
| 2308 int64 database_id_; | 2306 int64 database_id_; |
| 2309 IndexedDBBackingStore* backing_store_; | 2307 IndexedDBBackingStore* backing_store_; |
| 2310 scoped_refptr<IndexedDBBackingStore::BlobWriteCallback> callback_; | 2308 scoped_refptr<IndexedDBBackingStore::BlobWriteCallback> callback_; |
| 2311 scoped_ptr<FileWriterDelegate> delegate_; | 2309 scoped_ptr<FileWriterDelegate> delegate_; |
| 2312 bool aborted_; | |
| 2313 | 2310 |
| 2314 DISALLOW_COPY_AND_ASSIGN(ChainedBlobWriterImpl); | 2311 DISALLOW_COPY_AND_ASSIGN(ChainedBlobWriterImpl); |
| 2315 }; | 2312 }; |
| 2316 | 2313 |
| 2317 class LocalWriteClosure : public FileWriterDelegate::DelegateWriteCallback, | 2314 class LocalWriteClosure : public FileWriterDelegate::DelegateWriteCallback, |
| 2318 public base::RefCountedThreadSafe<LocalWriteClosure> { | 2315 public base::RefCountedThreadSafe<LocalWriteClosure> { |
| 2319 public: | 2316 public: |
| 2320 LocalWriteClosure(IndexedDBBackingStore::Transaction::ChainedBlobWriter* | 2317 LocalWriteClosure(IndexedDBBackingStore::Transaction::ChainedBlobWriter* |
| 2321 chained_blob_writer, | 2318 chained_blob_writer, |
| 2322 base::SequencedTaskRunner* task_runner) | 2319 base::SequencedTaskRunner* task_runner) |
| (...skipping 2099 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4422 | 4419 |
| 4423 IndexedDBBackingStore::Transaction::WriteDescriptor::WriteDescriptor( | 4420 IndexedDBBackingStore::Transaction::WriteDescriptor::WriteDescriptor( |
| 4424 const WriteDescriptor& other) = default; | 4421 const WriteDescriptor& other) = default; |
| 4425 IndexedDBBackingStore::Transaction::WriteDescriptor::~WriteDescriptor() = | 4422 IndexedDBBackingStore::Transaction::WriteDescriptor::~WriteDescriptor() = |
| 4426 default; | 4423 default; |
| 4427 IndexedDBBackingStore::Transaction::WriteDescriptor& | 4424 IndexedDBBackingStore::Transaction::WriteDescriptor& |
| 4428 IndexedDBBackingStore::Transaction::WriteDescriptor:: | 4425 IndexedDBBackingStore::Transaction::WriteDescriptor:: |
| 4429 operator=(const WriteDescriptor& other) = default; | 4426 operator=(const WriteDescriptor& other) = default; |
| 4430 | 4427 |
| 4431 } // namespace content | 4428 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1060613002:
IndexedDB: Protect against use-after-free in ChainedBlobWriter. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master