[Sync] Address use-after-free in Directory::InsertEntry

components/sync/syncable/model_neutral_mutable_entry.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/sync/syncable/model_neutral_mutable_entry.h"
 
 #include <memory>
+#include <utility>
 
 #include "components/sync/base/hash_util.h"
 #include "components/sync/base/unique_position.h"
 #include "components/sync/syncable/directory.h"
 #include "components/sync/syncable/scoped_kernel_lock.h"
 #include "components/sync/syncable/syncable_changes_version.h"
 #include "components/sync/syncable/syncable_util.h"
 #include "components/sync/syncable/syncable_write_transaction.h"
 
 using std::string;
@@ skipping 12 matching lines @@
     return;  // already have an item with this ID.
   }
   std::unique_ptr<EntryKernel> kernel(new EntryKernel());
 
   kernel->put(ID, id);
   kernel->put(META_HANDLE, trans->directory()->NextMetahandle());
   kernel->mark_dirty(&trans->directory()->kernel()->dirty_metahandles);
   kernel->put(IS_DEL, true);
   // We match the database defaults here
   kernel->put(BASE_VERSION, CHANGES_VERSION);
-  if (!trans->directory()->InsertEntry(trans, kernel.get())) {
+  kernel_ = kernel.get();
+  if (!trans->directory()->InsertEntry(trans, std::move(kernel))) {
+    kernel_ = nullptr;
     return;  // Failed inserting.
   }
-  trans->TrackChangesTo(kernel.get());
-
-  kernel_ = kernel.release();
+  trans->TrackChangesTo(kernel_);
 }
 
 ModelNeutralMutableEntry::ModelNeutralMutableEntry(BaseWriteTransaction* trans,
                                                    CreateNewTypeRoot,
                                                    ModelType type)
     : Entry(trans), base_write_transaction_(trans) {
   // We allow NIGORI because we allow SyncEncryptionHandler to restore a nigori
   // across Directory instances (see SyncEncryptionHandler::RestoreNigori).
   if (type != NIGORI)
     DCHECK(IsTypeWithClientGeneratedRoot(type));
@@ skipping 11 matching lines @@
 
   kernel->put(ID,
               syncable::Id::CreateFromClientString(ModelTypeToString(type)));
   kernel->put(META_HANDLE, trans->directory()->NextMetahandle());
   kernel->put(PARENT_ID, syncable::Id::GetRoot());
   kernel->put(BASE_VERSION, CHANGES_VERSION);
   kernel->put(NON_UNIQUE_NAME, ModelTypeToString(type));
   kernel->put(IS_DIR, true);
 
   kernel->mark_dirty(&trans->directory()->kernel()->dirty_metahandles);
+  kernel_ = kernel.get();
 
-  if (!trans->directory()->InsertEntry(trans, kernel.get())) {
+  if (!trans->directory()->InsertEntry(trans, std::move(kernel))) {
+    kernel_ = nullptr;
     return;  // Failed inserting.
   }
-
-  trans->TrackChangesTo(kernel.get());
-
-  kernel_ = kernel.release();
+  trans->TrackChangesTo(kernel_);
 }
 
 ModelNeutralMutableEntry::ModelNeutralMutableEntry(BaseWriteTransaction* trans,
                                                    GetById,
                                                    const Id& id)
     : Entry(trans, GET_BY_ID, id), base_write_transaction_(trans) {}
 
 ModelNeutralMutableEntry::ModelNeutralMutableEntry(BaseWriteTransaction* trans,
                                                    GetByHandle,
                                                    int64_t metahandle)
@@ skipping 358 matching lines @@
 ModelNeutralMutableEntry::ModelNeutralMutableEntry(BaseWriteTransaction* trans)
     : Entry(trans), base_write_transaction_(trans) {}
 
 void ModelNeutralMutableEntry::MarkDirty() {
   kernel_->mark_dirty(&dir()->kernel()->dirty_metahandles);
 }
 
 }  // namespace syncable
 
 }  // namespace syncer