Windows Native Notifications: Store arguments on stack.

This prevents a UaF in notification_helper, triggered by the fact that c_str() points to a deleted string when the ShellExecute call runs. TBR: robliao, chengx Bug: 734095 Change-Id: I17437368254fb138d1a3fe5db432dba86e30c161 Reviewed-on: https://chromium-review.googlesource.com/937702Reviewed-by: Peter Beverloo <peter@chromium.org> Commit-Queue: Finnur Thorarinsson <finnur@chromium.org> Cr-Commit-Position: refs/heads/master@{#539182}

Windows Native Notifications: Store arguments on stack.
This prevents a UaF in notification_helper, triggered by the fact that c_str() points to a deleted string when the ShellExecute call runs. TBR: robliao, chengx Bug: 734095 Change-Id: I17437368254fb138d1a3fe5db432dba86e30c161 Reviewed-on: https://chromium-review.googlesource.com/937702Reviewed-by: Peter Beverloo <peter@chromium.org> Commit-Queue: Finnur Thorarinsson <finnur@chromium.org> Cr-Commit-Position: refs/heads/master@{#539182}
34f1357a · Finnur Thorarinsson · Commit Bot · 1aa9101b · 34f1357a
Commit 34f1357a authored Feb 26, 2018 by Finnur Thorarinsson Committed by Commit Bot Feb 26, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

notification_helper/notification_activator.cc notification_helper/notification_activator.cc +2 -1

No files found.
--- a/notification_helper/notification_activator.cc
+++ b/notification_helper/notification_activator.cc
@@ -87,7 +87,8 @@ HRESULT NotificationActivator::Activate(
  info.cbSize = sizeof(info);
  info.fMask = SEE_MASK_NOASYNC | SEE_MASK_FLAG_LOG_USAGE;
  info.lpFile = chrome_exe_path.value().c_str();
-  info.lpParameters = command_line.GetCommandLineString().c_str();
+  base::string16 arguments(command_line.GetCommandLineString());
+  info.lpParameters = arguments.c_str();
  info.nShow = SW_SHOWNORMAL;

  if (!::ShellExecuteEx(&info)) {