Skip to content

GitLab

T
tangled
Commit 0c0bee99 authored by Sunggook Chue's avatar Sunggook Chue Committed by Commit Bot
Browse files
Options

Issue is invalid address access when render frame host was deleted in the middle of gIRA API call. 

The changes are
- gIRA register WebContentOberser for render frame host deletion.
- In frame host deletion callback, it nullify member variable of frame host pointer.
- Render frame host pointer check is made before referencing it.

Bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1062091
Change-Id: I7bc261a292b63c8e60865916315b3dea59130c4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2107618
Commit-Queue: Sunggook Chue <sunggch@microsoft.com>
Reviewed-by: default avatarRayan Kanso <rayankans@chromium.org>
Cr-Commit-Position: refs/heads/master@{#751516}
parent 91482c34
Hide whitespace changes
Inline Side-by-side
Showing with 25 additions and 11 deletions
content/browser/installedapp/installed_app_provider_impl.cc
View file @ 0c0bee99
......@@ -8,6 +8,7 @@
#include "content/public/browser/browser_context.h"
#include "content/public/browser/render_frame_host.h"
#include "content/public/browser/render_process_host.h"
#include "content/public/browser/web_contents.h"
#include "content/public/common/content_features.h"
#include "mojo/public/cpp/bindings/self_owned_receiver.h"
......@@ -34,7 +35,9 @@ void DidGetInstalledApps(
InstalledAppProviderImpl::InstalledAppProviderImpl(
RenderFrameHost* render_frame_host)
: render_frame_host_(render_frame_host) {
: content::WebContentsObserver(
WebContents::FromRenderFrameHost(render_frame_host)),
render_frame_host_(render_frame_host) {
DCHECK(render_frame_host_);
}
......@@ -43,7 +46,8 @@ void InstalledAppProviderImpl::FilterInstalledApps(
const GURL& manifest_url,
FilterInstalledAppsCallback callback) {
bool is_implemented = false;
if (base::FeatureList::IsEnabled(features::kInstalledAppProvider)) {
if (base::FeatureList::IsEnabled(features::kInstalledAppProvider) &&
render_frame_host_) {
#if defined(OS_WIN)
is_implemented = true;
bool is_off_the_record =
......@@ -52,7 +56,7 @@ void InstalledAppProviderImpl::FilterInstalledApps(
std::move(related_apps),
base::BindOnce(&DidGetInstalledApps, is_off_the_record,
std::move(callback)),
render_frame_host_);
render_frame_host_->GetLastCommittedURL());
#endif
}
......@@ -62,6 +66,13 @@ void InstalledAppProviderImpl::FilterInstalledApps(
}
}
void InstalledAppProviderImpl::RenderFrameDeleted(
RenderFrameHost* render_frame_host) {
if (render_frame_host_ == render_frame_host) {
render_frame_host_ = nullptr;
}
}
// static
void InstalledAppProviderImpl::Create(
RenderFrameHost* host,
......
content/browser/installedapp/installed_app_provider_impl.h
View file @ 0c0bee99
......@@ -8,6 +8,7 @@
#include <string>
#include <vector>
#include "content/public/browser/web_contents_observer.h"
#include "third_party/blink/public/mojom/installedapp/installed_app_provider.mojom.h"
#include "third_party/blink/public/mojom/installedapp/related_application.mojom.h"
......@@ -15,7 +16,8 @@ namespace content {
class RenderFrameHost;
class InstalledAppProviderImpl : public blink::mojom::InstalledAppProvider {
class InstalledAppProviderImpl : public blink::mojom::InstalledAppProvider,
public content::WebContentsObserver {
public:
explicit InstalledAppProviderImpl(RenderFrameHost* render_frame_host);
static void Create(
......@@ -30,8 +32,11 @@ class InstalledAppProviderImpl : public blink::mojom::InstalledAppProvider {
const GURL& manifest_url,
FilterInstalledAppsCallback callback) override;
// WebContentsObserver
void RenderFrameDeleted(RenderFrameHost* render_frame_host) override;
private:
RenderFrameHost* const render_frame_host_;
RenderFrameHost* render_frame_host_;
};
} // namespace content
......
content/browser/installedapp/installed_app_provider_impl_win.cc
View file @ 0c0bee99
......@@ -99,7 +99,7 @@ void OnGetAppUrlHandlers(
void FilterInstalledAppsForWin(
std::vector<blink::mojom::RelatedApplicationPtr> related_apps,
blink::mojom::InstalledAppProvider::FilterInstalledAppsCallback callback,
RenderFrameHost* render_frame_host) {
const GURL frame_url) {
if (!base::win::ScopedHString::ResolveCoreWinRTStringDelayload() ||
!base::win::ResolveCoreWinRTDelayload()) {
std::move(callback).Run(std::vector<blink::mojom::RelatedApplicationPtr>());
......@@ -122,7 +122,6 @@ void FilterInstalledAppsForWin(
}
ComPtr<IUriRuntimeClass> url;
const GURL& frame_url = render_frame_host->GetLastCommittedURL();
hr = url_factory->CreateUri(
base::win::ScopedHString::Create(frame_url.spec()).get(), &url);
if (FAILED(hr)) {
......
content/browser/installedapp/installed_app_provider_impl_win.h
View file @ 0c0bee99
......@@ -11,10 +11,9 @@
#include "third_party/blink/public/mojom/installedapp/installed_app_provider.mojom.h"
#include "third_party/blink/public/mojom/installedapp/related_application.mojom.h"
namespace content {
class RenderFrameHost;
class GURL;
namespace content {
namespace installed_app_provider_win {
// Windows specific implementation of getInstalledRelatedApps.
......@@ -23,7 +22,7 @@ namespace installed_app_provider_win {
void FilterInstalledAppsForWin(
std::vector<blink::mojom::RelatedApplicationPtr> related_apps,
blink::mojom::InstalledAppProvider::FilterInstalledAppsCallback callback,
RenderFrameHost* render_frame_host);
const GURL frame_url);
} // namespace installed_app_provider_win
} // namespace content
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment