-
Rouslan Solomakhin authored
Before this patch, an unowned function pointer would be invoked asynchronously with a reference to the possibly freed reference to the browser context, which could cause use after free in certain circumstances. This patch makes the browser context own the callback and binds the function with a weak pointer, so freeing the browser context invalidates the weak pointer, which cancels the callback execution. After this patch, freeing the browser context aborts the asynchronous callback that dereferences the browser context, so the use after free is prevented. Bug: 1065298 Change-Id: Id6de3099a55c4505e94a8a6d21fb25d6d2b34c6c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2144311Reviewed-by:
Danyao Wang <danyao@chromium.org> Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org> Cr-Commit-Position: refs/heads/master@{#758404}
2d0aad1e
