Avoid use-after-free in FormFetcherImpl

components/password_manager/content/browser/credential_manager_impl.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/password_manager/content/browser/credential_manager_impl.h"
 
 #include <utility>
 
 #include "base/bind.h"
+#include "base/memory/ptr_util.h"
 #include "base/metrics/user_metrics.h"
 #include "base/strings/string16.h"
 #include "base/strings/utf_string_conversions.h"
 #include "components/autofill/core/common/password_form.h"
 #include "components/password_manager/content/browser/content_password_manager_driver.h"
 #include "components/password_manager/content/browser/content_password_manager_driver_factory.h"
 #include "components/password_manager/core/browser/affiliated_match_helper.h"
 #include "components/password_manager/core/browser/credential_manager_logger.h"
+#include "components/password_manager/core/browser/form_fetcher.h"
+#include "components/password_manager/core/browser/form_saver.h"

[vasilii, 2016/12/21 11:00:49]

I think both headers are unused.

[vabr (Chromium), 2016/12/21 11:35:25]

They are not. On line 82, there are two nullptr passed to a function call in
place of pointers to FormFetcher and FormSaver. In particular, the FormSaver is
a unique_ptr, so there the header is needed to know how to create it based on
nullptr. The other one is raw, so I can drop that header. (Done.)

 #include "components/password_manager/core/browser/password_manager_client.h"
 #include "components/password_manager/core/browser/password_manager_metrics_util.h"
 #include "components/password_manager/core/browser/password_manager_util.h"
 #include "components/password_manager/core/browser/password_store.h"
 #include "components/password_manager/core/common/credential_manager_types.h"
 #include "components/password_manager/core/common/password_manager_pref_names.h"
 #include "content/public/browser/web_contents.h"
 
 namespace password_manager {
 
@@ skipping 39 matching lines @@
   if (!client_->IsSavingAndFillingEnabledForCurrentPage() ||
       !client_->OnCredentialManagerUsed())
     return;
 
   client_->NotifyStorePasswordCalled();
 
   GURL origin = web_contents()->GetLastCommittedURL().GetOrigin();
   std::unique_ptr<autofill::PasswordForm> form(
       CreatePasswordFormFromCredentialInfo(credential, origin));
 
-  form_manager_.reset(new CredentialManagerPasswordFormManager(
+  form_manager_ = base::MakeUnique<CredentialManagerPasswordFormManager>(
       client_, GetDriver(), *CreateObservedPasswordFormFromOrigin(origin),
-      std::move(form), this));
+      std::move(form), this, nullptr, nullptr);
 }
 
 void CredentialManagerImpl::OnProvisionalSaveComplete() {
   DCHECK(form_manager_);
   DCHECK(client_->IsSavingAndFillingEnabledForCurrentPage());
   const autofill::PasswordForm& form = form_manager_->pending_credentials();
 
   if (!form.federation_origin.unique()) {
     // If this is a federated credential, check it against the federated matches
     // produced by the PasswordFormManager. If a match is found, update it and
@@ skipping 175 matching lines @@
 PasswordStore::FormDigest CredentialManagerImpl::GetSynthesizedFormForOrigin()
     const {
   PasswordStore::FormDigest digest = {
       autofill::PasswordForm::SCHEME_HTML, std::string(),
       web_contents()->GetLastCommittedURL().GetOrigin()};
   digest.signon_realm = digest.origin.spec();
   return digest;
 }
 
 }  // namespace password_manager