Chromium Code Reviews Chromium Code Reviews
Issue 1756483004:
Fix use-after-free when navigating a subframe to about:blank. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/renderer/render_frame_impl.h" | 5 #include "content/renderer/render_frame_impl.h" |
| 6 | 6 |
| 7 #include <map> | 7 #include <map> |
| 8 #include <string> | 8 #include <string> |
| 9 #include <utility> | 9 #include <utility> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 5483 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 5494 if (!common_params.base_url_for_data_url.is_empty() || | 5494 if (!common_params.base_url_for_data_url.is_empty() || |
| 5495 #if defined(OS_ANDROID) | 5495 #if defined(OS_ANDROID) |
| 5496 !request_params.data_url_as_string.empty() || | 5496 !request_params.data_url_as_string.empty() || |
| 5497 #endif | 5497 #endif |
| 5498 (browser_side_navigation && | 5498 (browser_side_navigation && |
| 5499 common_params.url.SchemeIs(url::kDataScheme))) { | 5499 common_params.url.SchemeIs(url::kDataScheme))) { |
| 5500 LoadDataURL(common_params, request_params, frame_, load_type, | 5500 LoadDataURL(common_params, request_params, frame_, load_type, |
| 5501 item_for_history_navigation, history_load_type, | 5501 item_for_history_navigation, history_load_type, |
| 5502 is_client_redirect); | 5502 is_client_redirect); |
| 5503 } else { | 5503 } else { |
| 5504 // The load of the URL can result in this frame being removed. Use a | |
| 5505 // WeakPtr as an easy way to detect whether this has occured. If so, this | |
| 5506 // method should return immediately and not touch any part of the object, | |
| 5507 // otherwise it will result in a use-after-free bug. | |
| 5508 base::WeakPtr<RenderFrameImpl> weak_this = weak_factory_.GetWeakPtr(); | |
| 5509 | |
| 5504 // Load the request. | 5510 // Load the request. |
| 5505 frame_->load(request, load_type, item_for_history_navigation, | 5511 frame_->load(request, load_type, item_for_history_navigation, |
| 5506 history_load_type, is_client_redirect); | 5512 history_load_type, is_client_redirect); |
| 5513 | |
| 5514 if (!weak_this.get()) | |
|
dcheng
2016/03/03 00:46:59
No .get()
nasko
2016/03/03 16:59:17
Done.
| |
| 5515 return; | |
| 5507 } | 5516 } |
| 5508 } else { | 5517 } else { |
| 5509 // The browser expects the frame to be loading this navigation. Inform it | 5518 // The browser expects the frame to be loading this navigation. Inform it |
| 5510 // that the load stopped if needed. | 5519 // that the load stopped if needed. |
| 5511 // Note: in the case of history navigations, |should_load_request| will be | 5520 // Note: in the case of history navigations, |should_load_request| will be |
| 5512 // false, and the frame may not have been set in a loading state. Do not | 5521 // false, and the frame may not have been set in a loading state. Do not |
| 5513 // send a stop message if the HistoryController is loading in this frame | 5522 // send a stop message if the HistoryController is loading in this frame |
| 5514 // nonetheless. This behavior will go away with subframe navigation | 5523 // nonetheless. This behavior will go away with subframe navigation |
| 5515 // entries. | 5524 // entries. |
| 5516 if (!frame_->isLoading() && !has_history_navigation_in_frame) | 5525 if (!frame_->isLoading() && !has_history_navigation_in_frame) |
| (...skipping 585 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 6102 int match_count, | 6111 int match_count, |
| 6103 int ordinal, | 6112 int ordinal, |
| 6104 const WebRect& selection_rect, | 6113 const WebRect& selection_rect, |
| 6105 bool final_status_update) { | 6114 bool final_status_update) { |
| 6106 Send(new FrameHostMsg_Find_Reply(routing_id_, request_id, match_count, | 6115 Send(new FrameHostMsg_Find_Reply(routing_id_, request_id, match_count, |
| 6107 selection_rect, ordinal, | 6116 selection_rect, ordinal, |
| 6108 final_status_update)); | 6117 final_status_update)); |
| 6109 } | 6118 } |
| 6110 | 6119 |
| 6111 } // namespace content | 6120 } // namespace content |
| OLD | NEW |
