Fix heap-use-after-free during CefCookieManagerImpl destruction (issue #1882)

2016-04-29 14:09:35 -07:00 · 2016-04-29 14:09:35 -07:00 · 52f9aacdf5
parent e690fa444c
commit 52f9aacdf5
2 changed files with 22 additions and 2 deletions
--- a/libcef/browser/cookie_manager_impl.cc
+++ b/libcef/browser/cookie_manager_impl.cc
@ -113,10 +113,18 @@ void SetCookieCallbackImpl(CefRefPtr<CefSetCookieCallback> callback,
      base::Bind(&CefSetCookieCallback::OnComplete, callback.get(), success));
 }

+net::CookieStore* GetExistingCookieStoreHelper(
+    base::WeakPtr<CefCookieManagerImpl> cookie_manager) {
+  if (cookie_manager.get())
+    return cookie_manager->GetExistingCookieStore();
+  return nullptr;
+}
+
 }  // namespace


-CefCookieManagerImpl::CefCookieManagerImpl() {
+CefCookieManagerImpl::CefCookieManagerImpl()
+    : weak_ptr_factory_(this) {
 }

 CefCookieManagerImpl::~CefCookieManagerImpl() {
@ -160,8 +168,16 @@ void CefCookieManagerImpl::GetCookieStore(

  DCHECK(cookie_store_.get());

+  // Binding ref-counted |this| to CookieStoreGetter may result in
+  // heap-use-after-free if (a) the CookieStoreGetter contains the last
+  // CefCookieManagerImpl reference and (b) that reference is released during
+  // execution of a CookieMonster callback (which then results in the
+  // CookieManager being deleted). Use WeakPtr instead of |this| so that, in
+  // that case, the CookieStoreGetter will return nullptr instead of keeping
+  // the CefCookieManagerImpl alive (see issue #1882).
  const CookieStoreGetter& cookie_store_getter =
-      base::Bind(&CefCookieManagerImpl::GetExistingCookieStore, this);
+      base::Bind(GetExistingCookieStoreHelper,
+                 weak_ptr_factory_.GetWeakPtr());

  if (task_runner->BelongsToCurrentThread()) {
    // Execute the callback immediately.
--- a/libcef/browser/cookie_manager_impl.h
+++ b/libcef/browser/cookie_manager_impl.h
@ -12,6 +12,7 @@
 #include "libcef/browser/thread_util.h"

 #include "base/files/file_path.h"
+#include "base/memory/weak_ptr.h"
 #include "net/cookies/cookie_monster.h"

 // Implementation of the CefCookieManager interface.
@ -126,6 +127,9 @@ class CefCookieManagerImpl : public CefCookieManager {
  std::vector<std::string> supported_schemes_;
  std::unique_ptr<net::CookieMonster> cookie_store_;

+  // Must be the last member.
+  base::WeakPtrFactory<CefCookieManagerImpl> weak_ptr_factory_;
+
  IMPLEMENT_REFCOUNTING_DELETE_ON_IOT(CefCookieManagerImpl);
 };