Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(780)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 427583003: Fix UAF in chrome_pdf::Instance::GetURL() (Closed)

Created:
6 years, 4 months ago by Tom Sepez
Modified:
6 years, 4 months ago
Reviewers:
palmer, jam
CC:
chromium-reviews, palmer, inferno
Project:
chromium
Visibility:
Public.

Description

Fix UAF in chrome_pdf::Instance::GetURL() The instance owns the engine via its engine_ scoped_ptr, so if the engine is being destroyed via the scoped_ptr destructor, it may not be safe to access anything in the instance since the instance may be partially destroyed. Instead, destroy the engine as the first step in the process so the instance is still intact. BUG=392956 Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=287955

Patch Set 1 #

Patch Set 2 : Alternative, more correct fix (but riskier). #

Total comments: 1

Patch Set 3 : Just reset engine. #

Patch Set 4 : Add comment. #

Patch Set 5 : better comment #

Unified diffs Side-by-side diffs Delta from patch set Stats (+3 lines, -0 lines) Patch
M pdf/instance.cc View 1 2 3 4 1 chunk +3 lines, -0 lines 0 comments Download

Messages

Total messages: 12 (0 generated)
Tom Sepez
John, please review or suggest an alternate.
6 years, 4 months ago (2014-07-30 21:36:37 UTC) #1
Tom Sepez
On 2014/07/30 21:36:37, Tom Sepez wrote: > John, please review or suggest an alternate. PS ...
6 years, 4 months ago (2014-07-30 23:41:17 UTC) #2
Tom Sepez
The latter seems to knock out several other CF test cases. I'm wondering if we ...
6 years, 4 months ago (2014-07-31 17:52:03 UTC) #3
Tom Sepez
It looks like WillBeDestroyed() called early on in the instance destructor is too late.
6 years, 4 months ago (2014-07-31 18:19:15 UTC) #4
palmer
lgtm
6 years, 4 months ago (2014-07-31 18:31:57 UTC) #5
jam
https://codereview.chromium.org/427583003/diff/20001/pdf/instance.cc File pdf/instance.cc (right): https://codereview.chromium.org/427583003/diff/20001/pdf/instance.cc#newcode310 pdf/instance.cc:310: engine_->ClientDestroyed(); why not just engine_.reset() here?
6 years, 4 months ago (2014-07-31 22:22:32 UTC) #6
Tom Sepez
On 2014/07/31 22:22:32, jam wrote: > https://codereview.chromium.org/427583003/diff/20001/pdf/instance.cc > File pdf/instance.cc (right): > > https://codereview.chromium.org/427583003/diff/20001/pdf/instance.cc#newcode310 > ...
6 years, 4 months ago (2014-08-01 16:08:20 UTC) #7
Tom Sepez
John, please re-review. It looks like your suggestion takes care of the test case by ...
6 years, 4 months ago (2014-08-06 20:45:35 UTC) #8
jam
On 2014/08/06 20:45:35, Tom Sepez wrote: > John, please re-review. It looks like your suggestion ...
6 years, 4 months ago (2014-08-06 21:15:30 UTC) #9
Tom Sepez
The CQ bit was checked by tsepez@chromium.org
6 years, 4 months ago (2014-08-06 21:43:36 UTC) #10
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tsepez@chromium.org/427583003/80001
6 years, 4 months ago (2014-08-06 21:44:41 UTC) #11
commit-bot: I haz the power
6 years, 4 months ago (2014-08-07 03:32:54 UTC) #12
Message was sent while issue was closed. 
Change committed as 287955

Powered by Google App Engine
This is Rietveld 408576698