Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1604)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/renderer/pepper/pepper_in_process_router.cc

Issue 314603002: Ensure that in-process plugins can't destroy themselves by closing a URLLoader (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | content/renderer/pepper/pepper_plugin_instance_impl.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/renderer/pepper/pepper_in_process_router.cc
diff --git a/content/renderer/pepper/pepper_in_process_router.cc b/content/renderer/pepper/pepper_in_process_router.cc
index 9194f12fb7f688d22773edd92bcaa6d3b8b416c0..d4dd85479523996aeddc0bd9acafcd1c80e1d933 100644
--- a/content/renderer/pepper/pepper_in_process_router.cc
+++ b/content/renderer/pepper/pepper_in_process_router.cc
@@ -103,14 +103,42 @@ bool PepperInProcessRouter::OnPluginMsgReceived(const IPC::Message& msg) {
bool PepperInProcessRouter::SendToHost(IPC::Message* msg) {
scoped_ptr<IPC::Message> message(msg);
+ // Unpack the message so we can peek at its nested type.
+ uint32 call_type = 0;
+ if (message->type() == PpapiHostMsg_ResourceCall::ID) {
+ ppapi::proxy::ResourceMessageCallParams call_params;
+ IPC::Message nested_msg;
+ if (!UnpackMessage<PpapiHostMsg_ResourceCall>(*msg, &call_params,
+ &nested_msg)) {
+ NOTREACHED();
+ return false;
+ }
+ call_type = nested_msg.type();
+ // Repack the message.
+ message.reset(new PpapiHostMsg_ResourceCall(call_params, nested_msg));
+ }
+
if (!message->is_sync()) {
- // If this is a resource destroyed message, post a task to dispatch it.
- // Dispatching it synchronously can cause the host to re-enter the proxy
- // code while we're still in the resource destructor, leading to a crash.
- // http://crbug.com/276368.
- // This won't cause message reordering problems because the resource
- // destroyed message is always the last one sent for a resource.
if (message->type() == PpapiHostMsg_ResourceDestroyed::ID) {
+ // If this is a resource destroyed message, post a task to dispatch it.
+ // Dispatching it synchronously can cause the host to re-enter the proxy
+ // code while we're still in the resource destructor, leading to a crash.
+ // http://crbug.com/276368.
+ // This won't cause message reordering problems because the resource
+ // destroyed message is always the last one sent for a resource.
+ base::MessageLoop::current()->PostTask(
+ FROM_HERE,
+ base::Bind(&PepperInProcessRouter::DispatchHostMsg,
+ weak_factory_.GetWeakPtr(),
+ base::Owned(message.release())));
+ return true;
+ } else if (call_type == PpapiHostMsg_URLLoader_Close::ID) {
+ // If this is a PpapiHostMsg_URLLoader_Close, it could trigger the
+ // destruction of the instance (crbug.com/372548) so post a task to
+ // dispatch it as well. Because PpapiHostMsg_ResourceDestroyed messages
+ // are also posted above, ordering with respect to those messages will
+ // still be correct. Ordering with respect to other messages should not
+ // be important.
base::MessageLoop::current()->PostTask(
FROM_HERE,
base::Bind(&PepperInProcessRouter::DispatchHostMsg,
« no previous file with comments | « no previous file | content/renderer/pepper/pepper_plugin_instance_impl.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698