-
Min Qin authored
The use-after-free is introduced in the following call sequence: 1. DataObjectImpl::GetData() calls DragDownloadFile::Wait(), which starts nested runloop and wait for download to complete. 2. DragDownloadFile::DownloadCompleted() is called, and it calls DataObjectImpl::OnDownloadCompleted(). 3. OnDownloadCompleted() creates a new StoredDataInfo object, that clears up the scoped_refptr of DragDownloadFile in the StoredDataInfo. As a result, DragDownloadFile is deleted. 4. The nested runloop started in DragDownloadFile::Wait() should finish now, but the return statement touches the state_ member variable on the deleted object, This CL breaks the above sequence by checking the weakptr in 4 first before accessing the state_ member variable BUG=968303 Change-Id: Ie1266d344fe102f73451bda9f996e29d9bd00a31 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1827488Reviewed-by:
Xing Liu <xingliu@chromium.org> Reviewed-by:
Scott Violet <sky@chromium.org> Commit-Queue: Min Qin <qinmin@chromium.org> Cr-Commit-Position: refs/heads/master@{#700914}
9a3ba05f
