-
David Tseng authored
Mostly speculative to fix crash (enclosed in bug). Could not reproduce. From the stack, it looks like TtsHandler::HandlePreviewTtsVoice gets called. This results in sending an utterance, with TtsHandler as a delegate. TtsHandler never removes itself as a delegate, if the utterance is alive, but TtsHandler gets destroyed. Any calls to TtsUtterance::OnTtsEvent would deref a deallocated TtsHandler (uaf). It's not quite what occurs in the stack, but the above seems like an issue. R=katie@chromium.org Fixed: 1038277 Change-Id: Iffda2304c9d2f88f58af51accebf738bfbc39181 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2210004Reviewed-by:
dpapad <dpapad@chromium.org> Reviewed-by:
Katie Dektar <katie@chromium.org> Commit-Queue: dpapad <dpapad@chromium.org> Commit-Queue: David Tseng <dtseng@chromium.org> Auto-Submit: David Tseng <dtseng@chromium.org> Cr-Commit-Position: refs/heads/master@{#771977}
8f318f60
