Fix a potential use-after-free after JSONReader::Read.

chrome/browser/content_settings/content_settings_policy_provider.cc

Index: chrome/browser/content_settings/content_settings_policy_provider.cc
diff --git a/chrome/browser/content_settings/content_settings_policy_provider.cc b/chrome/browser/content_settings/content_settings_policy_provider.cc
index 13198e50137bbaacecc0a940411429d89ff47dc8..e747c28b73ddf121c058cba2f15528f6c544b450 100644
--- a/chrome/browser/content_settings/content_settings_policy_provider.cc
+++ b/chrome/browser/content_settings/content_settings_policy_provider.cc
@@ -353,11 +353,12 @@ void PolicyProvider::GetAutoSelectCertificateSettingsFromPreferences(
     scoped_ptr<base::DictionaryValue> pattern_filter_pair(
         static_cast<base::DictionaryValue*>(value.release()));
     std::string pattern_str;
-    bool pattern_read = pattern_filter_pair->GetString("pattern", &pattern_str);
-    scoped_ptr<base::Value> cert_filter;
-    bool filter_read = pattern_filter_pair->Remove("filter", &cert_filter);
-    if (!pattern_read || !filter_read ||
-        !cert_filter->IsType(base::Value::TYPE_DICTIONARY)) {
+    bool pattern_read = pattern_filter_pair->GetStringWithoutPathExpansion(
+        "pattern", &pattern_str);
+    base::DictionaryValue* cert_filter = NULL;
+    pattern_filter_pair->GetDictionaryWithoutPathExpansion("filter",
+                                                           &cert_filter);
+    if (!pattern_read || !cert_filter) {
       VLOG(1) << "Ignoring invalid certificate auto select setting. Reason:"
                  " Missing pattern or filter.";
       continue;
@@ -372,11 +373,13 @@ void PolicyProvider::GetAutoSelectCertificateSettingsFromPreferences(
       continue;
     }
 
+    // Don't pass removed values from |value|, because base::Values read with
+    // JSONReader use a shared string buffer. Instead, DeepCopy here.
     value_map->SetValue(pattern,
                         ContentSettingsPattern::Wildcard(),
                         CONTENT_SETTINGS_TYPE_AUTO_SELECT_CERTIFICATE,
                         std::string(),
-                        cert_filter.release());
+                        cert_filter->DeepCopy());
   }
 }