bcarrella/cef
1
0
Fork 0
mirror of https://bitbucket.org/chromiumembedded/cef synced 2025-06-05 21:39:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix heap-use-after-free during CefCookieManagerImpl destruction (issue #1882)

Browse Source
This commit is contained in:
Marshall Greenblatt
2016-04-29 14:09:35 -07:00
parent e690fa444c
commit 52f9aacdf5
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
libcef/browser/cookie_manager_impl.cc
View File

@ -113,10 +113,18 @@ void SetCookieCallbackImpl(CefRefPtr<CefSetCookieCallback> callback,
base::Bind(&CefSetCookieCallback::OnComplete, callback.get(), success)); base::Bind(&CefSetCookieCallback::OnComplete, callback.get(), success));
} }
net::CookieStore* GetExistingCookieStoreHelper(
base::WeakPtr<CefCookieManagerImpl> cookie_manager) {
if (cookie_manager.get())
return cookie_manager->GetExistingCookieStore();
return nullptr;
}
} // namespace } // namespace
CefCookieManagerImpl::CefCookieManagerImpl() { CefCookieManagerImpl::CefCookieManagerImpl()
: weak_ptr_factory_(this) {
} }
CefCookieManagerImpl::~CefCookieManagerImpl() { CefCookieManagerImpl::~CefCookieManagerImpl() {
@ -160,8 +168,16 @@ void CefCookieManagerImpl::GetCookieStore(
DCHECK(cookie_store_.get()); DCHECK(cookie_store_.get());
// Binding ref-counted |this| to CookieStoreGetter may result in
// heap-use-after-free if (a) the CookieStoreGetter contains the last
// CefCookieManagerImpl reference and (b) that reference is released during
// execution of a CookieMonster callback (which then results in the
// CookieManager being deleted). Use WeakPtr instead of |this| so that, in
// that case, the CookieStoreGetter will return nullptr instead of keeping
// the CefCookieManagerImpl alive (see issue #1882).
const CookieStoreGetter& cookie_store_getter = const CookieStoreGetter& cookie_store_getter =
base::Bind(&CefCookieManagerImpl::GetExistingCookieStore, this); base::Bind(GetExistingCookieStoreHelper,
weak_ptr_factory_.GetWeakPtr());
if (task_runner->BelongsToCurrentThread()) { if (task_runner->BelongsToCurrentThread()) {
// Execute the callback immediately. // Execute the callback immediately.

4
libcef/browser/cookie_manager_impl.h
View File

@ -12,6 +12,7 @@
#include "libcef/browser/thread_util.h" #include "libcef/browser/thread_util.h"
#include "base/files/file_path.h" #include "base/files/file_path.h"
#include "base/memory/weak_ptr.h"
#include "net/cookies/cookie_monster.h" #include "net/cookies/cookie_monster.h"
// Implementation of the CefCookieManager interface. // Implementation of the CefCookieManager interface.
@ -126,6 +127,9 @@ class CefCookieManagerImpl : public CefCookieManager {
std::vector<std::string> supported_schemes_; std::vector<std::string> supported_schemes_;
std::unique_ptr<net::CookieMonster> cookie_store_; std::unique_ptr<net::CookieMonster> cookie_store_;
// Must be the last member.
base::WeakPtrFactory<CefCookieManagerImpl> weak_ptr_factory_;
IMPLEMENT_REFCOUNTING_DELETE_ON_IOT(CefCookieManagerImpl); IMPLEMENT_REFCOUNTING_DELETE_ON_IOT(CefCookieManagerImpl);
}; };