IndexedDB: Fixed cursor/blob use-after-free bug

content/browser/indexed_db/indexed_db_callbacks.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/indexed_db/indexed_db_callbacks.h"
 
 #include <algorithm>
 
-#include "base/guid.h"
 #include "base/metrics/histogram.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/time.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/fileapi/fileapi_message_filter.h"
 #include "content/browser/indexed_db/indexed_db_blob_info.h"
 #include "content/browser/indexed_db/indexed_db_connection.h"
 #include "content/browser/indexed_db/indexed_db_context_impl.h"
 #include "content/browser/indexed_db/indexed_db_cursor.h"
 #include "content/browser/indexed_db/indexed_db_database_callbacks.h"
@@ skipping 196 matching lines @@
     UMA_HISTOGRAM_MEDIUM_TIMES(
         "WebCore.IndexedDB.OpenTime.Success",
         base::TimeTicks::Now() - connection_open_start_time_);
     connection_open_start_time_ = base::TimeTicks();
   }
 }
 
 static std::string CreateBlobData(
     const IndexedDBBlobInfo& blob_info,
     scoped_refptr<IndexedDBDispatcherHost> dispatcher_host,
     storage::BlobStorageContext* blob_storage_context,

[dgrogan, 2014/12/05 01:09:29]

Looks like you can ax this parameter.

[cmumford, 2014/12/05 19:08:09]

Done.

     base::TaskRunner* task_runner) {
-  std::string uuid = blob_info.uuid();
-  if (!uuid.empty()) {
+  if (!blob_info.uuid().empty()) {
     // We're sending back a live blob, not a reference into our backing store.
-    scoped_ptr<storage::BlobDataHandle> blob_data_handle(
-        blob_storage_context->GetBlobDataFromUUID(uuid));
-    dispatcher_host->HoldBlobDataHandle(uuid, blob_data_handle.Pass());
-    return uuid;
+    return dispatcher_host->HoldBlobData(blob_info);
   }
   scoped_refptr<ShareableFileReference> shareable_file =
       ShareableFileReference::Get(blob_info.file_path());
   if (!shareable_file.get()) {
     shareable_file = ShareableFileReference::GetOrCreate(
         blob_info.file_path(),
         ShareableFileReference::DONT_DELETE_ON_FINAL_RELEASE,
         task_runner);
     if (!blob_info.release_callback().is_null())
       shareable_file->AddFinalReleaseCallback(blob_info.release_callback());
   }
-
-  uuid = base::GenerateGUID();
-  scoped_refptr<storage::BlobData> blob_data = new storage::BlobData(uuid);
-  blob_data->set_content_type(base::UTF16ToUTF8(blob_info.type()));
-  blob_data->AppendFile(
-      blob_info.file_path(), 0, blob_info.size(), blob_info.last_modified());
-  scoped_ptr<storage::BlobDataHandle> blob_data_handle(
-      blob_storage_context->AddFinishedBlob(blob_data.get()));
-  dispatcher_host->HoldBlobDataHandle(uuid, blob_data_handle.Pass());
-
-  return uuid;
+  return dispatcher_host->HoldBlobData(blob_info);
 }
 
 static bool CreateAllBlobs(
     const std::vector<IndexedDBBlobInfo>& blob_info,
     std::vector<IndexedDBMsg_BlobOrFileInfo>* blob_or_file_info,
     scoped_refptr<IndexedDBDispatcherHost> dispatcher_host) {
   DCHECK_EQ(blob_info.size(), blob_or_file_info->size());
   size_t i;
   if (!dispatcher_host->blob_storage_context())
     return false;
@@ skipping 334 matching lines @@
       ipc_thread_id_, ipc_callbacks_id_));
   dispatcher_host_ = NULL;
 }
 
 void IndexedDBCallbacks::SetConnectionOpenStartTime(
     const base::TimeTicks& start_time) {
   connection_open_start_time_ = start_time;
 }
 
 }  // namespace content