Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(561)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/win/src/broker_services.cc

Issue 2331343004: Fix sandbox::PolicyBase leak (Closed)
Patch Set: Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/win/src/broker_services.h ('k') | sandbox/win/src/policy_target_test.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/broker_services.cc
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
index b33889dcd3f2f15ac52472f2a2c879ecb0e3dc8f..f48014a1afa946482c52377437823e89a4161d95 100644
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -54,7 +54,8 @@ enum {
// Helper structure that allows the Broker to associate a job notification
// with a job object and with a policy.
struct JobTracker {
- JobTracker(base::win::ScopedHandle job, sandbox::PolicyBase* policy)
+ JobTracker(base::win::ScopedHandle job,
+ scoped_refptr<sandbox::PolicyBase> policy)
: job(std::move(job)), policy(policy) {}
~JobTracker() {
FreeResources();
@@ -65,7 +66,7 @@ struct JobTracker {
void FreeResources();
base::win::ScopedHandle job;
- sandbox::PolicyBase* policy;
+ scoped_refptr<sandbox::PolicyBase> policy;
};
void JobTracker::FreeResources() {
@@ -79,8 +80,7 @@ void JobTracker::FreeResources() {
// In OnJobEmpty() we don't actually use the job handle directly.
policy->OnJobEmpty(stale_job_handle);
- policy->Release();
- policy = NULL;
+ policy = nullptr;
}
}
@@ -142,10 +142,13 @@ BrokerServicesBase::~BrokerServicesBase() {
::DeleteCriticalSection(&lock_);
}
-TargetPolicy* BrokerServicesBase::CreatePolicy() {
+scoped_refptr<TargetPolicy> BrokerServicesBase::CreatePolicy() {
// If you change the type of the object being created here you must also
// change the downcast to it in SpawnTarget().
- return new PolicyBase;
+ scoped_refptr<TargetPolicy> policy(new PolicyBase);
+ // PolicyBase starts with refcount 1.
piman 2016/09/13 22:29:07 nit: could we fix that?
+ policy->Release();
+ return policy;
}
// The worker thread stays in a loop waiting for asynchronous notifications
@@ -268,7 +271,7 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) {
// process inside the sandbox.
ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
const wchar_t* command_line,
- TargetPolicy* policy,
+ scoped_refptr<TargetPolicy> policy,
ResultCode* last_warning,
DWORD* last_error,
PROCESS_INFORMATION* target_info) {
@@ -289,7 +292,7 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
AutoLock lock(&lock_);
// This downcast is safe as long as we control CreatePolicy()
- PolicyBase* policy_base = static_cast<PolicyBase*>(policy);
+ scoped_refptr<PolicyBase> policy_base(static_cast<PolicyBase*>(policy.get()));
// Construct the tokens and the job object that we are going to associate
// with the soon to be created target process.
@@ -441,7 +444,6 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
// We are going to keep a pointer to the policy because we'll call it when
// the job object generates notifications using the completion port.
- policy_base->AddRef();
if (job.IsValid()) {
std::unique_ptr<JobTracker> tracker(
new JobTracker(std::move(job), policy_base));
« no previous file with comments | « sandbox/win/src/broker_services.h ('k') | sandbox/win/src/policy_target_test.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698