Fix heap-use-after-free during CefCookieManagerImpl destruction (issue #1882)
This commit is contained in:
parent
e690fa444c
commit
52f9aacdf5
|
@ -113,10 +113,18 @@ void SetCookieCallbackImpl(CefRefPtr<CefSetCookieCallback> callback,
|
|||
base::Bind(&CefSetCookieCallback::OnComplete, callback.get(), success));
|
||||
}
|
||||
|
||||
net::CookieStore* GetExistingCookieStoreHelper(
|
||||
base::WeakPtr<CefCookieManagerImpl> cookie_manager) {
|
||||
if (cookie_manager.get())
|
||||
return cookie_manager->GetExistingCookieStore();
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
} // namespace
|
||||
|
||||
|
||||
CefCookieManagerImpl::CefCookieManagerImpl() {
|
||||
CefCookieManagerImpl::CefCookieManagerImpl()
|
||||
: weak_ptr_factory_(this) {
|
||||
}
|
||||
|
||||
CefCookieManagerImpl::~CefCookieManagerImpl() {
|
||||
|
@ -160,8 +168,16 @@ void CefCookieManagerImpl::GetCookieStore(
|
|||
|
||||
DCHECK(cookie_store_.get());
|
||||
|
||||
// Binding ref-counted |this| to CookieStoreGetter may result in
|
||||
// heap-use-after-free if (a) the CookieStoreGetter contains the last
|
||||
// CefCookieManagerImpl reference and (b) that reference is released during
|
||||
// execution of a CookieMonster callback (which then results in the
|
||||
// CookieManager being deleted). Use WeakPtr instead of |this| so that, in
|
||||
// that case, the CookieStoreGetter will return nullptr instead of keeping
|
||||
// the CefCookieManagerImpl alive (see issue #1882).
|
||||
const CookieStoreGetter& cookie_store_getter =
|
||||
base::Bind(&CefCookieManagerImpl::GetExistingCookieStore, this);
|
||||
base::Bind(GetExistingCookieStoreHelper,
|
||||
weak_ptr_factory_.GetWeakPtr());
|
||||
|
||||
if (task_runner->BelongsToCurrentThread()) {
|
||||
// Execute the callback immediately.
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
#include "libcef/browser/thread_util.h"
|
||||
|
||||
#include "base/files/file_path.h"
|
||||
#include "base/memory/weak_ptr.h"
|
||||
#include "net/cookies/cookie_monster.h"
|
||||
|
||||
// Implementation of the CefCookieManager interface.
|
||||
|
@ -126,6 +127,9 @@ class CefCookieManagerImpl : public CefCookieManager {
|
|||
std::vector<std::string> supported_schemes_;
|
||||
std::unique_ptr<net::CookieMonster> cookie_store_;
|
||||
|
||||
// Must be the last member.
|
||||
base::WeakPtrFactory<CefCookieManagerImpl> weak_ptr_factory_;
|
||||
|
||||
IMPLEMENT_REFCOUNTING_DELETE_ON_IOT(CefCookieManagerImpl);
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue