<webview>: Fix WebRequest API crash

extensions/browser/api/web_request/web_request_api.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/web_request/web_request_api.h"
 
 #include <algorithm>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ skipping 440 matching lines @@
 // NOTE(benjhayden) New APIs should not use this sub_event_name trick! It does
 // not play well with event pages. See downloads.onDeterminingFilename and
 // ExtensionDownloadsEventRouter for an alternative approach.
 struct ExtensionWebRequestEventRouter::EventListener {
   std::string extension_id;
   std::string extension_name;
   std::string sub_event_name;
   RequestFilter filter;
   int extra_info_spec;
   int embedder_process_id;
-  int webview_instance_id;
+  int web_view_instance_id;
   base::WeakPtr<IPC::Sender> ipc_sender;
   mutable std::set<uint64> blocked_requests;
 
   // Comparator to work with std::set.
   bool operator<(const EventListener& that) const {
-    if (extension_id < that.extension_id)
-      return true;
-    if (extension_id == that.extension_id &&
-        sub_event_name < that.sub_event_name)
-      return true;
+    if (extension_id != that.extension_id)
+      return extension_id < that.extension_id;
+
+    if (sub_event_name != that.sub_event_name)
+      return sub_event_name < that.sub_event_name;
+
+    if (embedder_process_id != that.embedder_process_id)
+      return embedder_process_id < that.embedder_process_id;
+
+    if (web_view_instance_id != that.web_view_instance_id)
+      return web_view_instance_id < that.web_view_instance_id;
+
     return false;
   }
 
-  EventListener() : extra_info_spec(0) {}
+  EventListener() :
+      extra_info_spec(0),
+      embedder_process_id(0),
+      web_view_instance_id(0) {}
 };
 
 // Contains info about requests that are blocked waiting for a response from
 // an extension.
 struct ExtensionWebRequestEventRouter::BlockedRequest {
   // The request that is being blocked.
   net::URLRequest* request;
 
   // Whether the request originates from an incognito tab.
   bool is_incognito;
@@ skipping 786 matching lines @@
 
 bool ExtensionWebRequestEventRouter::AddEventListener(
     void* browser_context,
     const std::string& extension_id,
     const std::string& extension_name,
     const std::string& event_name,
     const std::string& sub_event_name,
     const RequestFilter& filter,
     int extra_info_spec,
     int embedder_process_id,
-    int webview_instance_id,
+    int web_view_instance_id,
     base::WeakPtr<IPC::Sender> ipc_sender) {
   if (!IsWebRequestEvent(event_name))
     return false;
 
   EventListener listener;
   listener.extension_id = extension_id;
   listener.extension_name = extension_name;
   listener.sub_event_name = sub_event_name;
   listener.filter = filter;
   listener.extra_info_spec = extra_info_spec;
   listener.ipc_sender = ipc_sender;
   listener.embedder_process_id = embedder_process_id;
-  listener.webview_instance_id = webview_instance_id;
-  if (listener.webview_instance_id) {
+  listener.web_view_instance_id = web_view_instance_id;
+  if (listener.web_view_instance_id) {
     content::RecordAction(
         base::UserMetricsAction("WebView.WebRequest.AddListener"));
   }
 
   if (listeners_[browser_context][event_name].count(listener) != 0u) {
     // This is likely an abuse of the API by a malicious extension.
     return false;
   }
   listeners_[browser_context][event_name].insert(listener);
   return true;
@@ skipping 30 matching lines @@
 
   listeners_[browser_context][event_name].erase(listener);
 
   helpers::ClearCacheOnNavigation();
 }
 
 void ExtensionWebRequestEventRouter::RemoveWebViewEventListeners(
     void* browser_context,
     const std::string& extension_id,
     int embedder_process_id,
-    int webview_instance_id) {
+    int web_view_instance_id) {
   // Iterate over all listeners of all WebRequest events to delete
   // any listeners that belong to the provided <webview>.
   ListenerMapForBrowserContext& map_for_browser_context =
       listeners_[browser_context];
   for (ListenerMapForBrowserContext::iterator event_iter =
        map_for_browser_context.begin();
        event_iter != map_for_browser_context.end(); ++event_iter) {
     std::vector<EventListener> listeners_to_delete;
     std::set<EventListener>& listeners = event_iter->second;
     for (std::set<EventListener>::iterator listener_iter = listeners.begin();
          listener_iter != listeners.end(); ++listener_iter) {
       const EventListener& listener = *listener_iter;
       if (listener.embedder_process_id == embedder_process_id &&
-          listener.webview_instance_id == webview_instance_id)
+          listener.web_view_instance_id == web_view_instance_id)
         listeners_to_delete.push_back(listener);
     }
     for (size_t i = 0; i < listeners_to_delete.size(); ++i) {
       EventListener& listener = listeners_to_delete[i];
       content::BrowserThread::PostTask(
           content::BrowserThread::UI,
           FROM_HERE,
           base::Bind(&RemoveEventListenerOnUI,
                      browser_context,
                      listener.sub_event_name,
@@ skipping 103 matching lines @@
   for (std::set<EventListener>::iterator it = listeners.begin();
        it != listeners.end(); ++it) {
     if (!it->ipc_sender.get()) {
       // The IPC sender has been deleted. This listener will be removed soon
       // via a call to RemoveEventListener. For now, just skip it.
       continue;
     }
 
     if (is_web_view_guest &&
         (it->embedder_process_id != web_view_info.embedder_process_id ||
-         it->webview_instance_id != web_view_info.instance_id))
+         it->web_view_instance_id != web_view_info.instance_id))
       continue;
 
     if (!it->filter.urls.is_empty() && !it->filter.urls.MatchesURL(url))
       continue;
     if (web_request_event_router_delegate_ &&
         web_request_event_router_delegate_->OnGetMatchingListenersImplCheck(
             it->filter.tab_id, it->filter.window_id, request))
       continue;
     if (!it->filter.types.empty() &&
         std::find(it->filter.types.begin(), it->filter.types.end(),
@@ skipping 702 matching lines @@
         ExtensionWebRequestEventRouter::ExtraInfoSpec::InitFromValue(
             *value, &extra_info_spec));
   }
 
   std::string event_name;
   EXTENSION_FUNCTION_VALIDATE(args_->GetString(3, &event_name));
 
   std::string sub_event_name;
   EXTENSION_FUNCTION_VALIDATE(args_->GetString(4, &sub_event_name));
 
-  int webview_instance_id = 0;
-  EXTENSION_FUNCTION_VALIDATE(args_->GetInteger(5, &webview_instance_id));
+  int web_view_instance_id = 0;
+  EXTENSION_FUNCTION_VALIDATE(args_->GetInteger(5, &web_view_instance_id));
 
   base::WeakPtr<extensions::ExtensionMessageFilter> ipc_sender =
       ipc_sender_weak();
   int embedder_process_id =
-      ipc_sender.get() ? ipc_sender->render_process_id() : -1;
+      ipc_sender.get() && web_view_instance_id > 0 ?
+          ipc_sender->render_process_id() : 0;
 
   const Extension* extension =
       extension_info_map()->extensions().GetByID(extension_id_safe());
   std::string extension_name =
       extension ? extension->name() : extension_id_safe();
 
-  if (webview_instance_id == 0) {
+  if (!web_view_instance_id) {
     // We check automatically whether the extension has the 'webRequest'
     // permission. For blocking calls we require the additional permission
     // 'webRequestBlocking'.
     if ((extra_info_spec &
          (ExtensionWebRequestEventRouter::ExtraInfoSpec::BLOCKING |
           ExtensionWebRequestEventRouter::ExtraInfoSpec::ASYNC_BLOCKING)) &&
         !extension->permissions_data()->HasAPIPermission(
             extensions::APIPermission::kWebRequestBlocking)) {
       error_ = keys::kBlockingPermissionRequired;
       return false;
@@ skipping 10 matching lines @@
             .is_empty()) {
       error_ = keys::kHostPermissionsRequired;
       return false;
     }
   }
 
   bool success =
       ExtensionWebRequestEventRouter::GetInstance()->AddEventListener(
           profile_id(), extension_id_safe(), extension_name,
           event_name, sub_event_name, filter, extra_info_spec,
-          embedder_process_id, webview_instance_id, ipc_sender_weak());
+          embedder_process_id, web_view_instance_id, ipc_sender_weak());
   EXTENSION_FUNCTION_VALIDATE(success);
 
   helpers::ClearCacheOnNavigation();
 
   if (!extension_id_safe().empty()) {
     BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
                             base::Bind(&helpers::NotifyWebRequestAPIUsed,
                                        profile_id(), extension_id_safe()));
   }
 
@@ skipping 192 matching lines @@
       base::Bind(&WarningService::NotifyWarningsOnUI, profile_id(), warnings));
 
   // Continue gracefully.
   RunSync();
 }
 
 bool WebRequestHandlerBehaviorChangedFunction::RunSync() {
   helpers::ClearCacheOnNavigation();
   return true;
 }