[android_webview] Fix UAF in request interception code.

android_webview/native/intercepted_request_data_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "android_webview/native/intercepted_request_data_impl.h"
 
 #include "android_webview/browser/net/android_stream_reader_url_request_job.h"
 #include "android_webview/native/input_stream_impl.h"
 #include "base/android/jni_android.h"
 #include "base/android/jni_string.h"
 #include "jni/InterceptedRequestData_jni.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_job.h"
 
 using base::android::ScopedJavaLocalRef;
 
 namespace android_webview {
 
 namespace {
 
-class StreamReaderJobDelegateImpl :
-    public AndroidStreamReaderURLRequestJob::Delegate {
+class StreamReaderJobDelegateImpl
+    : public AndroidStreamReaderURLRequestJob::Delegate {
  public:
-    StreamReaderJobDelegateImpl(
-        const InterceptedRequestDataImpl* intercepted_request_data)
-        : intercepted_request_data_impl_(intercepted_request_data) {
-      DCHECK(intercepted_request_data_impl_);
-    }
+  StreamReaderJobDelegateImpl(
+      scoped_refptr<InterceptedRequestData::Holder> holder)
+      : holder_(holder) {
+    DCHECK(holder.get());
+  }
 
-    virtual scoped_ptr<InputStream> OpenInputStream(
-        JNIEnv* env,
-        const GURL& url) OVERRIDE {
-      return intercepted_request_data_impl_->GetInputStream(env).Pass();
-    }
+  virtual void OnStart() OVERRIDE {
+    if (!holder_.get()) return;
 
-    virtual void OnInputStreamOpenFailed(net::URLRequest* request,
-                                         bool* restart) OVERRIDE {
-      *restart = false;
-    }
+    // This is called on the IO thread so there is no risk of a race when
+    // transferring ownership of the InterceptedRequestData |data| member.
+    intercepted_request_data_impl_.reset(
+        static_cast<InterceptedRequestDataImpl*>(holder_->data.release()));
+    holder_ = NULL;
+  }
 
-    virtual bool GetMimeType(JNIEnv* env,
-                             net::URLRequest* request,
-                             android_webview::InputStream* stream,
-                             std::string* mime_type) OVERRIDE {
-      return intercepted_request_data_impl_->GetMimeType(env, mime_type);
-    }
+  virtual scoped_ptr<InputStream> OpenInputStream(JNIEnv* env,
+                                                  const GURL& url) OVERRIDE {
+    if (!intercepted_request_data_impl_) return scoped_ptr<InputStream>();
+    return intercepted_request_data_impl_->GetInputStream(env).Pass();
+  }
 
-    virtual bool GetCharset(JNIEnv* env,
-                            net::URLRequest* request,
-                            android_webview::InputStream* stream,
-                            std::string* charset) OVERRIDE {
-      return intercepted_request_data_impl_->GetCharset(env, charset);
-    }
+  virtual void OnInputStreamOpenFailed(net::URLRequest* request,
+                                       bool* restart) OVERRIDE {
+    *restart = false;
+  }
+
+  virtual bool GetMimeType(JNIEnv* env,
+                           net::URLRequest* request,
+                           android_webview::InputStream* stream,
+                           std::string* mime_type) OVERRIDE {
+    if (!intercepted_request_data_impl_) return false;
+    return intercepted_request_data_impl_->GetMimeType(env, mime_type);
+  }
+
+  virtual bool GetCharset(JNIEnv* env,
+                          net::URLRequest* request,
+                          android_webview::InputStream* stream,
+                          std::string* charset) OVERRIDE {
+    if (!intercepted_request_data_impl_) return false;
+    return intercepted_request_data_impl_->GetCharset(env, charset);
+  }
 
  private:
-    const InterceptedRequestDataImpl* intercepted_request_data_impl_;
+  scoped_refptr<InterceptedRequestData::Holder> holder_;
+  scoped_ptr<InterceptedRequestDataImpl> intercepted_request_data_impl_;
 };
 
 } // namespace
 
+// static
+net::URLRequestJob* InterceptedRequestData::CreateJobFor(
+    scoped_refptr<InterceptedRequestData::Holder> holder,
+    net::URLRequest* request,
+    net::NetworkDelegate* network_delegate) {
+  scoped_ptr<AndroidStreamReaderURLRequestJob::Delegate>
+      stream_reader_job_delegate_impl(new StreamReaderJobDelegateImpl(holder));
+  return new AndroidStreamReaderURLRequestJob(
+      request, network_delegate, stream_reader_job_delegate_impl.Pass());
+}
+
 InterceptedRequestDataImpl::InterceptedRequestDataImpl(
     const base::android::JavaRef<jobject>& obj)
   : java_object_(obj) {
 }
 
 InterceptedRequestDataImpl::~InterceptedRequestDataImpl() {
 }
 
 scoped_ptr<InputStream>
 InterceptedRequestDataImpl::GetInputStream(JNIEnv* env) const {
@@ skipping 21 matching lines @@
   if (jstring_charset.is_null())
     return false;
   *charset = ConvertJavaStringToUTF8(jstring_charset);
   return true;
 }
 
 bool RegisterInterceptedRequestData(JNIEnv* env) {
   return RegisterNativesImpl(env);
 }
 
-net::URLRequestJob* InterceptedRequestDataImpl::CreateJobFor(
-    net::URLRequest* request,
-    net::NetworkDelegate* network_delegate) const {
-  scoped_ptr<AndroidStreamReaderURLRequestJob::Delegate>
-      stream_reader_job_delegate_impl(new StreamReaderJobDelegateImpl(this));
-  return new AndroidStreamReaderURLRequestJob(
-      request, network_delegate, stream_reader_job_delegate_impl.Pass());
-}
-
 } // namespace android_webview