Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1607)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/child/child_shared_bitmap_manager.cc

Issue 382133002: Fix use-after-free of ChildSharedBitmapManager (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/child/child_shared_bitmap_manager.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/child/child_shared_bitmap_manager.cc
diff --git a/content/child/child_shared_bitmap_manager.cc b/content/child/child_shared_bitmap_manager.cc
index 904dc45ed0f0b5e857143b0d8e6efcdf8866d200..41c22610c4ae237b0ae465cd57ea023a716f6f2a 100644
--- a/content/child/child_shared_bitmap_manager.cc
+++ b/content/child/child_shared_bitmap_manager.cc
@@ -10,9 +10,27 @@
namespace content {
+namespace {
+
+void FreeSharedMemory(scoped_refptr<ThreadSafeSender> sender,
+ cc::SharedBitmap* bitmap) {
+ TRACE_EVENT0("renderer", "ChildSharedBitmapManager::FreeSharedMemory");
+ sender->Send(new ChildProcessHostMsg_DeletedSharedBitmap(bitmap->id()));
+ delete bitmap->memory();
+}
+
+void ReleaseSharedBitmap(scoped_refptr<ThreadSafeSender> sender,
+ cc::SharedBitmap* handle) {
+ TRACE_EVENT0("renderer", "ChildSharedBitmapManager::ReleaseSharedBitmap");
+ sender->Send(new ChildProcessHostMsg_DeletedSharedBitmap(handle->id()));
+}
+
+} // namespace
+
ChildSharedBitmapManager::ChildSharedBitmapManager(
scoped_refptr<ThreadSafeSender> sender)
- : sender_(sender) {}
+ : sender_(sender) {
+}
ChildSharedBitmapManager::~ChildSharedBitmapManager() {}
@@ -42,13 +60,8 @@ scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::AllocateSharedBitmap(
sender_->Send(new ChildProcessHostMsg_AllocatedSharedBitmap(
memory_size, handle_to_send, id));
#endif
- // The compositor owning the SharedBitmap will be closed before the
- // ChildThread containng this, making the use of base::Unretained safe.
return scoped_ptr<cc::SharedBitmap>(new cc::SharedBitmap(
- memory.release(),
- id,
- base::Bind(&ChildSharedBitmapManager::FreeSharedMemory,
- base::Unretained(this))));
+ memory.release(), id, base::Bind(&FreeSharedMemory, sender_)));
}
scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::GetSharedBitmapFromId(
@@ -70,22 +83,8 @@ scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::GetBitmapForSharedMemory(
mem->mapped_size(), handle_to_send, id));
// The compositor owning the SharedBitmap will be closed before the
// ChildThread containng this, making the use of base::Unretained safe.
- return scoped_ptr<cc::SharedBitmap>(new cc::SharedBitmap(
- mem,
- id,
- base::Bind(&ChildSharedBitmapManager::ReleaseSharedBitmap,
- base::Unretained(this))));
-}
-
-void ChildSharedBitmapManager::FreeSharedMemory(cc::SharedBitmap* bitmap) {
- TRACE_EVENT0("renderer", "ChildSharedBitmapManager::FreeSharedMemory");
- sender_->Send(new ChildProcessHostMsg_DeletedSharedBitmap(bitmap->id()));
- delete bitmap->memory();
-}
-
-void ChildSharedBitmapManager::ReleaseSharedBitmap(cc::SharedBitmap* handle) {
- TRACE_EVENT0("renderer", "ChildSharedBitmapManager::ReleaseSharedBitmap");
- sender_->Send(new ChildProcessHostMsg_DeletedSharedBitmap(handle->id()));
+ return scoped_ptr<cc::SharedBitmap>(
+ new cc::SharedBitmap(mem, id, base::Bind(&ReleaseSharedBitmap, sender_)));
}
} // namespace content
« no previous file with comments | « content/child/child_shared_bitmap_manager.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698