-
tapted authored
BookmarkBarController has a weak pointer in a |pulsingButton_| data member. This is an NSView which can be destroyed in -[BookmarkBarController redistributeButtonsOnBarAsNeeded] when it is removed from its superview. Since bubbles close asynchronously, and fade out, the bookmark bubble can cause a UAF to |pulsingButton_| via stopPulsingBookmarkNode. This can occur if a resize triggers redistributeButtonsOnBarAsNeeded while a bookmark bubble is still alive. There's no need for this to be a weak pointer. Make it scoped_nsobject instead. This affects both Cocoa and MacViews. BUG=616051 TEST=Added unit_test: BookmarkBarControllerTest.RedistributeButtonsOnBarAsNeeded Review-Url: https://codereview.chromium.org/2567973002 Cr-Commit-Position: refs/heads/master@{#437954}
561b5ae6
