Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(168)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/indexed_db/indexed_db_dispatcher_host.h

Issue 774593004: IndexedDB: Fixed cursor/blob use-after-free bug (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« content/browser/indexed_db/indexed_db_callbacks.cc ('K') | « content/browser/indexed_db/indexed_db_callbacks.cc ('k') | content/browser/indexed_db/indexed_db_dispatcher_host.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ 5 #ifndef CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_
6 #define CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ 6 #define CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_
7 7
8 #include <map> 8 #include <map>
9 #include <string> 9 #include <string>
10 #include <utility>
10 #include <vector> 11 #include <vector>
11 12
12 #include "base/basictypes.h" 13 #include "base/basictypes.h"
13 #include "base/id_map.h" 14 #include "base/id_map.h"
14 #include "base/memory/ref_counted.h" 15 #include "base/memory/ref_counted.h"
15 #include "content/browser/fileapi/chrome_blob_storage_context.h" 16 #include "content/browser/fileapi/chrome_blob_storage_context.h"
16 #include "content/public/browser/browser_message_filter.h" 17 #include "content/public/browser/browser_message_filter.h"
17 #include "net/url_request/url_request_context_getter.h" 18 #include "net/url_request/url_request_context_getter.h"
18 #include "storage/browser/blob/blob_data_handle.h" 19 #include "storage/browser/blob/blob_data_handle.h"
19 #include "url/gurl.h" 20 #include "url/gurl.h"
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after
89 // id in the high 32 bits. The mapping is host-specific and ids are validated. 90 // id in the high 32 bits. The mapping is host-specific and ids are validated.
90 int64 HostTransactionId(int64 transaction_id); 91 int64 HostTransactionId(int64 transaction_id);
91 int64 RendererTransactionId(int64 host_transaction_id); 92 int64 RendererTransactionId(int64 host_transaction_id);
92 93
93 // These are called to decode a host transaction ID, for diagnostic purposes. 94 // These are called to decode a host transaction ID, for diagnostic purposes.
94 static uint32 TransactionIdToRendererTransactionId(int64 host_transaction_id); 95 static uint32 TransactionIdToRendererTransactionId(int64 host_transaction_id);
95 static uint32 TransactionIdToProcessId(int64 host_transaction_id); 96 static uint32 TransactionIdToProcessId(int64 host_transaction_id);
96 97
97 void HoldBlobDataHandle(const std::string& uuid, 98 void HoldBlobDataHandle(const std::string& uuid,
98 scoped_ptr<storage::BlobDataHandle> blob_data_handle); 99 scoped_ptr<storage::BlobDataHandle> blob_data_handle);
100 bool IncrementBlobDataIfHeld(const std::string& uuid);
99 void DropBlobDataHandle(const std::string& uuid); 101 void DropBlobDataHandle(const std::string& uuid);
100 102
101 private: 103 private:
102 // Friends to enable OnDestruct() delegation. 104 // Friends to enable OnDestruct() delegation.
103 friend class BrowserThread; 105 friend class BrowserThread;
104 friend class base::DeleteHelper<IndexedDBDispatcherHost>; 106 friend class base::DeleteHelper<IndexedDBDispatcherHost>;
105 107
106 // Used in nested classes. 108 // Used in nested classes.
107 typedef std::map<std::string, storage::BlobDataHandle*> BlobDataHandleMap; 109 typedef std::map<std::string, std::pair<storage::BlobDataHandle*, int>>
110 BlobDataHandleMap;
108 typedef std::map<int64, int64> TransactionIDToDatabaseIDMap; 111 typedef std::map<int64, int64> TransactionIDToDatabaseIDMap;
109 typedef std::map<int64, uint64> TransactionIDToSizeMap; 112 typedef std::map<int64, uint64> TransactionIDToSizeMap;
110 typedef std::map<int64, GURL> TransactionIDToURLMap; 113 typedef std::map<int64, GURL> TransactionIDToURLMap;
111 typedef std::map<int32, GURL> WebIDBObjectIDToURLMap; 114 typedef std::map<int32, GURL> WebIDBObjectIDToURLMap;
112 115
113 // IDMap for RefCounted types 116 // IDMap for RefCounted types
114 template <typename RefCountedType> 117 template <typename RefCountedType>
115 class RefIDMap { 118 class RefIDMap {
116 public: 119 public:
117 typedef int32 KeyType; 120 typedef int32 KeyType;
(...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after
262 265
263 void ResetDispatcherHosts(); 266 void ResetDispatcherHosts();
264 267
265 // The getter holds the context until OnChannelConnected() can be called from 268 // The getter holds the context until OnChannelConnected() can be called from
266 // the IO thread, which will extract the net::URLRequestContext from it. 269 // the IO thread, which will extract the net::URLRequestContext from it.
267 scoped_refptr<net::URLRequestContextGetter> request_context_getter_; 270 scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
268 net::URLRequestContext* request_context_; 271 net::URLRequestContext* request_context_;
269 scoped_refptr<IndexedDBContextImpl> indexed_db_context_; 272 scoped_refptr<IndexedDBContextImpl> indexed_db_context_;
270 scoped_refptr<ChromeBlobStorageContext> blob_storage_context_; 273 scoped_refptr<ChromeBlobStorageContext> blob_storage_context_;
271 274
275 base::Lock blob_data_map_lock_;
272 BlobDataHandleMap blob_data_handle_map_; 276 BlobDataHandleMap blob_data_handle_map_;
273 277
274 // Only access on IndexedDB thread. 278 // Only access on IndexedDB thread.
275 scoped_ptr<DatabaseDispatcherHost> database_dispatcher_host_; 279 scoped_ptr<DatabaseDispatcherHost> database_dispatcher_host_;
276 scoped_ptr<CursorDispatcherHost> cursor_dispatcher_host_; 280 scoped_ptr<CursorDispatcherHost> cursor_dispatcher_host_;
277 281
278 // Used to set file permissions for blob storage. 282 // Used to set file permissions for blob storage.
279 int ipc_process_id_; 283 int ipc_process_id_;
280 284
281 DISALLOW_IMPLICIT_CONSTRUCTORS(IndexedDBDispatcherHost); 285 DISALLOW_IMPLICIT_CONSTRUCTORS(IndexedDBDispatcherHost);
282 }; 286 };
283 287
284 } // namespace content 288 } // namespace content
285 289
286 #endif // CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ 290 #endif // CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_
OLDNEW
« content/browser/indexed_db/indexed_db_callbacks.cc ('K') | « content/browser/indexed_db/indexed_db_callbacks.cc ('k') | content/browser/indexed_db/indexed_db_dispatcher_host.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698