-
John Kleinschmidt authored
Under certain circumstances, such as aborting an animation and then reassigning a unique_ptr to a new CallbackLayerAnimationObserver (eg InkDropRipple::SnapToState(InkDropState ink_drop_state), the logic to detect deletion in CallbackLayerAnimationObserver ends up causing a heap-use-after-free because CallbackLayerAnimationObserver::CheckAllSequencesCompleted() overwrites the destroyed_ pointer that CallbackLayerAnimationObserver::SetActive() set. In order to fix this issue, use of the destroyed_ pointer was replaced with local WeakPtrs in order to detect deletion. Change-Id: I051657fae929eb4d7200f965561e9d9fb21b44f5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1714626Reviewed-by:
kylechar <kylechar@chromium.org> Commit-Queue: Jeremy Apthorp <jeremya@chromium.org> Cr-Commit-Position: refs/heads/master@{#683029}
51452545
