Chromium Code Reviews
DescriptionFix a use-after-free in WebsiteSettings::OnUIClosing.
This CL makes WebsiteSettings a WebContentsObserver, fixing a
use-after-free/race at browser shutdown. The exploit triggers when UI
destruction occurs after the WebContents that WebsiteSettings holds a
pointer to has been freed by the TabStripModel, triggering a deref of
the now invalid pointer.
WebsiteSettings now uses its inherited web_contents() method, which
will return a nullptr after the contents is freed. This prevents the
use-after-free.
BUG=640571
Committed: https://crrev.com/bdd53b5fbfbbb32d6ec8e5d8107040f3fa779868
Cr-Commit-Position: refs/heads/master@{#421408}
Patch Set 1 #
Messages
Total messages: 16 (10 generated)
|
||||||||||||||||||||||||||||