Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1616)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: android_webview/browser/net/android_stream_reader_url_request_job.h

Issue 11428052: [android_webview] Fix use after free in intercepted requests. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | android_webview/browser/net/android_stream_reader_url_request_job.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: android_webview/browser/net/android_stream_reader_url_request_job.h
diff --git a/android_webview/browser/net/android_stream_reader_url_request_job.h b/android_webview/browser/net/android_stream_reader_url_request_job.h
index 1053d219476bf9ea0c137065801d9323af8468a3..9699716e2878e11cb9d0d82d092317edccbacbcf 100644
--- a/android_webview/browser/net/android_stream_reader_url_request_job.h
+++ b/android_webview/browser/net/android_stream_reader_url_request_job.h
@@ -79,10 +79,35 @@ class AndroidStreamReaderURLRequestJob : public net::URLRequestJob {
// Creates an InputStreamReader instance.
// Overridden in unittests to return a mock.
- virtual scoped_refptr<android_webview::InputStreamReader>
+ virtual scoped_ptr<android_webview::InputStreamReader>
CreateStreamReader(android_webview::InputStream* stream);
private:
+ // The requests posted to the worker thread might outlive the job.
+ // Thread-safe ref counting is used to ensure that the data is still there
+ // when the closure is run on the worker thread.
+ //
+ class InputStreamReaderWrapper :
mnaganov (inactive) 2012/11/29 10:46:55 If this class is only used by AndroidStreamReaderU
mkosiba (inactive) 2012/11/29 15:39:23 I assumed scoped_refptr would complain that the ty
+ public base::RefCountedThreadSafe<InputStreamReaderWrapper> {
+ public:
+ InputStreamReaderWrapper(
+ scoped_ptr<android_webview::InputStream> input_stream,
+ scoped_ptr<android_webview::InputStreamReader> input_stream_reader);
+
+ const android_webview::InputStream& input_stream() const {
+ return *input_stream_;
+ }
+
+ int Seek(const net::HttpByteRange& byte_range);
+ int ReadRawData(net::IOBuffer* buffer, int buffer_size);
+ private:
+ friend class base::RefCountedThreadSafe<InputStreamReaderWrapper>;
+ ~InputStreamReaderWrapper();
+
+ scoped_ptr<android_webview::InputStream> input_stream_;
+ scoped_ptr<android_webview::InputStreamReader> input_stream_reader_;
+ };
+
void StartAsync();
void OnReaderSeekCompleted(int content_size);
@@ -90,8 +115,7 @@ class AndroidStreamReaderURLRequestJob : public net::URLRequestJob {
net::HttpByteRange byte_range_;
scoped_ptr<Delegate> delegate_;
- scoped_refptr<android_webview::InputStreamReader> input_stream_reader_;
- scoped_ptr<android_webview::InputStream> stream_;
+ scoped_refptr<InputStreamReaderWrapper> input_stream_reader_wrapper_;
base::WeakPtrFactory<AndroidStreamReaderURLRequestJob> weak_factory_;
DISALLOW_COPY_AND_ASSIGN(AndroidStreamReaderURLRequestJob);
« no previous file with comments | « no previous file | android_webview/browser/net/android_stream_reader_url_request_job.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698