| Index: android_webview/browser/aw_request_interceptor.cc
|
| diff --git a/android_webview/browser/aw_request_interceptor.cc b/android_webview/browser/aw_request_interceptor.cc
|
| index 0e5e28395f3cc7dcc5b53e9013c6e6e498895c63..43b60f30b69bb5d616ad29d35a28bdac7505a009 100644
|
| --- a/android_webview/browser/aw_request_interceptor.cc
|
| +++ b/android_webview/browser/aw_request_interceptor.cc
|
| @@ -28,22 +28,20 @@ const void* kURLRequestUserDataKey = &kURLRequestUserDataKey;
|
|
|
| class URLRequestUserData : public base::SupportsUserData::Data {
|
| public:
|
| - URLRequestUserData(
|
| - scoped_ptr<InterceptedRequestData> intercepted_request_data)
|
| - : intercepted_request_data_(intercepted_request_data.Pass()) {
|
| - }
|
| + URLRequestUserData(scoped_refptr<InterceptedRequestData::Holder> holder)
|
| + : holder_(holder) {}
|
|
|
| - static URLRequestUserData* Get(net::URLRequest* request) {
|
| - return reinterpret_cast<URLRequestUserData*>(
|
| - request->GetUserData(kURLRequestUserDataKey));
|
| - }
|
| + static URLRequestUserData* Get(net::URLRequest* request) {
|
| + return reinterpret_cast<URLRequestUserData*>(
|
| + request->GetUserData(kURLRequestUserDataKey));
|
| + }
|
|
|
| - const InterceptedRequestData* intercepted_request_data() const {
|
| - return intercepted_request_data_.get();
|
| - }
|
| + scoped_refptr<InterceptedRequestData::Holder> holder() const {
|
| + return holder_;
|
| + }
|
|
|
| private:
|
| - scoped_ptr<InterceptedRequestData> intercepted_request_data_;
|
| + scoped_refptr<InterceptedRequestData::Holder> holder_;
|
| };
|
|
|
| } // namespace
|
| @@ -91,17 +89,21 @@ net::URLRequestJob* AwRequestInterceptor::MaybeCreateJob(
|
| // call to QueryForInterceptedRequestData is made (regardless of whether
|
| // the result of that call is a valid InterceptedRequestData* pointer or
|
| // NULL.
|
| - user_data = new URLRequestUserData(
|
| - QueryForInterceptedRequestData(request->url(), request));
|
| + scoped_ptr<InterceptedRequestData> data =
|
| + QueryForInterceptedRequestData(request->url(), request);
|
| + scoped_refptr<InterceptedRequestData::Holder> holder;
|
| + if (data) {
|
| + holder = new InterceptedRequestData::Holder();
|
| + holder->data = data.Pass();
|
| + }
|
| + user_data = new URLRequestUserData(holder);
|
| request->SetUserData(kURLRequestUserDataKey, user_data);
|
| }
|
|
|
| - const InterceptedRequestData* intercepted_request_data =
|
| - user_data->intercepted_request_data();
|
| -
|
| - if (!intercepted_request_data)
|
| + if (!user_data->holder().get())
|
| return NULL;
|
| - return intercepted_request_data->CreateJobFor(request, network_delegate);
|
| + return InterceptedRequestData::CreateJobFor(
|
| + user_data->holder(), request, network_delegate);
|
| }
|
|
|
| } // namespace android_webview
|
|
|
Chromium Code Reviews
Issue 59903011:
[android_webview] Fix UAF in request interception code. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src