IndexedDB: Fixed cursor/blob use-after-free bug

content/browser/indexed_db/indexed_db_dispatcher_host.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/indexed_db/indexed_db_dispatcher_host.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/memory/scoped_vector.h"
@@ skipping 51 matching lines @@
       request_context_(request_context),
       indexed_db_context_(indexed_db_context),
       blob_storage_context_(blob_storage_context),
       database_dispatcher_host_(new DatabaseDispatcherHost(this)),
       cursor_dispatcher_host_(new CursorDispatcherHost(this)),
       ipc_process_id_(ipc_process_id) {
   DCHECK(indexed_db_context_.get());
 }
 
 IndexedDBDispatcherHost::~IndexedDBDispatcherHost() {
-  STLDeleteValues(&blob_data_handle_map_);
+  for (auto& iter : blob_data_handle_map_)
+    delete iter.second.first;
 }
 
 void IndexedDBDispatcherHost::OnChannelConnected(int32 peer_pid) {
   BrowserMessageFilter::OnChannelConnected(peer_pid);
 
   if (request_context_getter_.get()) {
     DCHECK(!request_context_);
     request_context_ = request_context_getter_->GetURLRequestContext();
     request_context_getter_ = NULL;
     DCHECK(request_context_);
@@ skipping 119 matching lines @@
     int64 host_transaction_id) {
   return host_transaction_id & 0xffffffff;
 }
 
 // static
 uint32 IndexedDBDispatcherHost::TransactionIdToProcessId(
     int64 host_transaction_id) {
   return (host_transaction_id >> 32) & 0xffffffff;
 }
 
+bool IndexedDBDispatcherHost::IncrementBlobDataIfHeld(const std::string& uuid) {
+  base::AutoLock lock(blob_data_map_lock_);
+  BlobDataHandleMap::iterator iter = blob_data_handle_map_.find(uuid);
+  if (iter != blob_data_handle_map_.end()) {
+    iter->second.second += 1;
+    return true;
+  }
+  return false;
+}
+
 void IndexedDBDispatcherHost::HoldBlobDataHandle(
     const std::string& uuid,
     scoped_ptr<storage::BlobDataHandle> blob_data_handle) {
+  base::AutoLock lock(blob_data_map_lock_);
   DCHECK(!ContainsKey(blob_data_handle_map_, uuid));
-  blob_data_handle_map_[uuid] = blob_data_handle.release();
+  blob_data_handle_map_[uuid] =
+      std::pair<storage::BlobDataHandle*, int>(blob_data_handle.release(), 1);
 }
 
 void IndexedDBDispatcherHost::DropBlobDataHandle(const std::string& uuid) {
+  base::AutoLock lock(blob_data_map_lock_);
   BlobDataHandleMap::iterator iter = blob_data_handle_map_.find(uuid);
   if (iter != blob_data_handle_map_.end()) {
-    delete iter->second;
-    blob_data_handle_map_.erase(iter);
+    DCHECK_GE(iter->second.second, 1);
+    if (iter->second.second == 1) {
+      delete iter->second.first;
+      blob_data_handle_map_.erase(iter);
+    } else {
+      iter->second.second -= 1;
+    }
   } else {
     DLOG(FATAL) << "Failed to find blob UUID in map:" << uuid;
   }
 }
 
 IndexedDBCursor* IndexedDBDispatcherHost::GetCursorFromId(int32 ipc_cursor_id) {
   DCHECK(indexed_db_context_->TaskRunner()->RunsTasksOnCurrentThread());
   return cursor_dispatcher_host_->map_.Lookup(ipc_cursor_id);
 }
 
@@ skipping 752 matching lines @@
 }
 
 void IndexedDBDispatcherHost::CursorDispatcherHost::OnDestroyed(
     int32 ipc_object_id) {
   DCHECK(
       parent_->indexed_db_context_->TaskRunner()->RunsTasksOnCurrentThread());
   parent_->DestroyObject(&map_, ipc_object_id);
 }
 
 }  // namespace content