Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3956)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/renderer/render_frame_impl.cc

Issue 2514323003: Fix UaF in RenderFrameImpl::OnBeforeUnload. (Closed)
Patch Set: add comments Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | content/renderer/render_view_browsertest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/renderer/render_frame_impl.cc
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index 2f79ac027a3144ba9006282e9f8b529ea2d58d43..95b0c68645d2b1cc42c709b26d0a4ade3266dd92 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -1712,11 +1712,15 @@ void RenderFrameImpl::OnBeforeUnload(bool is_reload) {
// it.
CHECK(!frame_->parent());
+ // Save the routing_id, as the RenderFrameImpl can be deleted in
+ // dispatchBeforeUnloadEvent. See https://crbug.com/666714 for details.
+ int routing_id = routing_id_;
+
base::TimeTicks before_unload_start_time = base::TimeTicks::Now();
bool proceed = frame_->dispatchBeforeUnloadEvent(is_reload);
base::TimeTicks before_unload_end_time = base::TimeTicks::Now();
- Send(new FrameHostMsg_BeforeUnload_ACK(
- routing_id_, proceed, before_unload_start_time, before_unload_end_time));
+ RenderThread::Get()->Send(new FrameHostMsg_BeforeUnload_ACK(
+ routing_id, proceed, before_unload_start_time, before_unload_end_time));
}
void RenderFrameImpl::OnSwapOut(
« no previous file with comments | « no previous file | content/renderer/render_view_browsertest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698