Chromium Code Reviews Chromium Code Reviews
Issue
11728004:
Fix use after free in JavascriptAppModalDialogAndroid. (Closed)
DescriptionFix use after free in JavascriptAppModalDialogAndroid.
On Android JavascriptAppModalDialog is implemented with a Java class and its
native counterpart.
The Java class holds a pointer to the native instance. When UI events (e.g.
button click) are processed, the Java side calls a native method (e.g.
JavascriptAppModalDialog::DidAcceptAppModalDialog()). When this native method
completes the instance deletes itself.
This is only correct in case it is guaranteed that no further native method
call is performed by the Java side since the pointer was freed.
The problem is that this can happen in some rare circumstances. For instance
the user could manage to click on two buttons before the dialog is closed which
might happen if the first click event is not processed immediately or takes a
long time to be processed.
This CL fixes the crash by invalidating the native pointer on the Java side
when it is deleted so that the Java side can perform a native method call only
if the native instance pointer is still valid.
BUG=167585
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=175139
Patch Set 1 : #Patch Set 2 : #Patch Set 3 : Add missing 'virtual' (only needed by the Chromium style Clang plugin) #
Messages
Total messages: 9 (0 generated)
|
|||||||||||||||||||||||||||||||||||||
