Fix read-after-free when loading two search engines with the same keyword.

chrome/browser/search_engines/template_url_service.h

Index: chrome/browser/search_engines/template_url_service.h
===================================================================
--- chrome/browser/search_engines/template_url_service.h	(revision 222964)
+++ chrome/browser/search_engines/template_url_service.h	(working copy)
@@ -425,7 +425,11 @@
 
   // Sets the keywords. This is used once the keywords have been loaded.
   // This does NOT notify the delegate or the database.
-  void SetTemplateURLs(const TemplateURLVector& urls);
+  //
+  // This transfers ownership of the elements in |urls| to |this|, and may
+  // delete some elements, so it's not safe for callers to access any elements
+  // after calling; to reinforce this, this function clears |urls| on exit.
+  void SetTemplateURLs(TemplateURLVector* urls);
 
   // Transitions to the loaded state.
   void ChangeToLoadedState();
@@ -615,6 +619,10 @@
   // Adds |template_urls| to |template_urls_| and sets up the default search
   // provider.  If |default_search_provider| is non-NULL, it must refer to one
   // of the |template_urls|, and will be used as the new default.
+  //
+  // This transfers ownership of the elements in |urls| to |this|, and may
+  // delete some elements, so it's not safe for callers to access any elements
+  // after calling; to reinforce this, this function clears |urls| on exit.

[beaudoin, 2013/09/14 03:24:03]

Nit: |urls| --> |template_urls|

[Peter Kasting, 2013/09/16 21:10:12]

Done.

   void AddTemplateURLsAndSetupDefaultEngine(
       TemplateURLVector* template_urls,
       TemplateURL* default_search_provider);