chrome/browser/ui/views/accessibility/accessibility_event_router_views.cc - Issue 13584005: Fix use-after-free of Profile after it's been destroyed.

Unified Diff: chrome/browser/ui/views/accessibility/accessibility_event_router_views.cc

Issue 13584005: Fix use-after-free of Profile after it's been destroyed. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 7 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« chrome/browser/ui/views/accessibility/accessibility_event_router_views.h ('K') | « chrome/browser/ui/views/accessibility/accessibility_event_router_views.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: chrome/browser/ui/views/accessibility/accessibility_event_router_views.cc

diff --git a/chrome/browser/ui/views/accessibility/accessibility_event_router_views.cc b/chrome/browser/ui/views/accessibility/accessibility_event_router_views.cc

index e64689faf69113cbcc197f06bb6831cb79d7b407..fe9ad4d16628ef08c67fb3fbfd05abd87102d882 100644

--- a/chrome/browser/ui/views/accessibility/accessibility_event_router_views.cc

+++ b/chrome/browser/ui/views/accessibility/accessibility_event_router_views.cc

@@ -14,6 +14,8 @@

#include "chrome/browser/profiles/profile.h"

#include "chrome/browser/profiles/profile_manager.h"

#include "chrome/common/chrome_notification_types.h"

+#include "content/public/browser/notification_service.h"

+#include "content/public/browser/notification_source.h"

#include "ui/base/accessibility/accessible_view_state.h"

#include "ui/views/controls/button/text_button.h"

#include "ui/views/controls/menu/menu_item_view.h"

@@ -25,6 +27,11 @@ using views::FocusManager;

AccessibilityEventRouterViews::AccessibilityEventRouterViews()

: most_recent_profile_(NULL) {

+ registrar_.reset(new content::NotificationRegistrar);

+ // Register for notification when profile is destroyed to ensure that all

+ // observers are detatched at that time.

+ registrar_->Add(this, chrome::NOTIFICATION_PROFILE_DESTROYED,

+ content::NotificationService::AllSources());

}

AccessibilityEventRouterViews::~AccessibilityEventRouterViews() {

@@ -100,6 +107,17 @@ void AccessibilityEventRouterViews::HandleMenuItemFocused(

chrome::NOTIFICATION_ACCESSIBILITY_CONTROL_FOCUSED, &info);

}

+void AccessibilityEventRouterViews::Observe(

+ int type,

+ const content::NotificationSource& source,

+ const content::NotificationDetails& details) {

+ if (type == chrome::NOTIFICATION_PROFILE_DESTROYED) {

Lei Zhang 2013/04/03 21:56:49 You can just DCHECK this.

dmazzoni 2013/04/03 22:02:29 Done.

+ Profile* profile = content::Source<Profile>(source).ptr();

+ if (profile == most_recent_profile_)

+ most_recent_profile_ = NULL;

+ }

// Private methods

@@ -117,10 +135,12 @@ void AccessibilityEventRouterViews::DispatchAccessibilityNotification(

}

if (!profile)

profile = most_recent_profile_;

- if (!profile)

- profile = g_browser_process->profile_manager()->GetLastUsedProfile();

if (!profile) {

- NOTREACHED();

+ if (g_browser_process->profile_manager())

+ profile = g_browser_process->profile_manager()->GetLastUsedProfile();

+ }

+ if (!profile) {

+ LOG(WARNING) << "Accessibility notification but no profile";

return;

}