Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(93)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 138803012: Fix use-after-free in WebstoreInstaller (Closed)

Created:
6 years, 10 months ago by tmdiep
Modified:
6 years, 10 months ago
CC:
chromium-reviews, chromium-apps-reviews_chromium.org, extensions-reviews_chromium.org, chrome-apps-syd-reviews_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Visibility:
Public.

Description

Fix use-after-free in WebstoreInstaller Crashes are still occurring in WebstoreInstaller::StartDownload(), even after several attempts to fix them. Diagnosis: The installer holds a pointer to contents::NavigationController. This object is owned by contents::WebContents, which can be deleted before the StartDownload() callback is invoked. Fix: Store a pointer to contents::WebContents. Inherit from content::WebContentsObserver, which will clear the pointer when the WebContents are destroyed. BUG=165634 Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=250865

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+37 lines, -41 lines) Patch
M chrome/browser/extensions/api/webstore_private/webstore_private_api.cc View 2 chunks +2 lines, -2 lines 0 comments Download
M chrome/browser/extensions/bundle_installer.h View 2 chunks +4 lines, -5 lines 0 comments Download
M chrome/browser/extensions/bundle_installer.cc View 4 chunks +2 lines, -5 lines 0 comments Download
M chrome/browser/extensions/webstore_installer.h View 5 chunks +7 lines, -6 lines 0 comments Download
M chrome/browser/extensions/webstore_installer.cc View 5 chunks +21 lines, -22 lines 0 comments Download
M chrome/browser/extensions/webstore_standalone_installer.cc View 1 chunk +1 line, -1 line 0 comments Download

Messages

Total messages: 6 (0 generated)
tmdiep
asargent: I saw the comments about the crashes while I was in this code and ...
6 years, 10 months ago (2014-02-10 23:56:44 UTC) #1
tmdiep
Opera team members came to the same conclusion and submitted an essentially identical fix: https://codereview.chromium.org/145873003
6 years, 10 months ago (2014-02-11 22:32:58 UTC) #2
asargent_no_longer_on_chrome
lgtm
6 years, 10 months ago (2014-02-11 22:41:12 UTC) #3
tmdiep
The CQ bit was checked by tmdiep@chromium.org
6 years, 10 months ago (2014-02-12 21:58:47 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tmdiep@chromium.org/138803012/1
6 years, 10 months ago (2014-02-12 22:02:27 UTC) #5
commit-bot: I haz the power
6 years, 10 months ago (2014-02-13 00:26:09 UTC) #6
Message was sent while issue was closed. 
Change committed as 250865

Powered by Google App Engine
This is Rietveld 408576698