[ MimeHandlerView ] Provisional fix for a browser crash

When a MimeHandlerView related resource is intercepted by the PluginResponseInterceptorURLLoaderThrottle, loading is deferred to when a MimeHandlerViewEmbedder is created on UI thread. However, this has caused browser crashes on IO thread when PRIULT resumes loading. The reason could be that PRIULT has *somehow* gone away and since the callback uses the raw pointer for binding, it might be causing a UaF. This CL uses a weak pointer for the callback as a provisional fix. Bug: 966793 Change-Id: I24d8913ccb8fec52eb588b654febbb42f0880a15 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1626339Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/heads/master@{#663112}

[ MimeHandlerView ] Provisional fix for a browser crash
When a MimeHandlerView related resource is intercepted by the PluginResponseInterceptorURLLoaderThrottle, loading is deferred to when a MimeHandlerViewEmbedder is created on UI thread. However, this has caused browser crashes on IO thread when PRIULT resumes loading. The reason could be that PRIULT has *somehow* gone away and since the callback uses the raw pointer for binding, it might be causing a UaF. This CL uses a weak pointer for the callback as a provisional fix. Bug: 966793 Change-Id: I24d8913ccb8fec52eb588b654febbb42f0880a15 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1626339Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/heads/master@{#663112}
6ce99156 · Ehsan Karamad · Commit Bot · e1bb98d2 · 6ce99156 · 6ce99156
Commit 6ce99156 authored May 24, 2019 by Ehsan Karamad Committed by Commit Bot May 24, 2019
2 changed files
--- a/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.cc
+++ b/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.cc
@@ -28,7 +28,8 @@ PluginResponseInterceptorURLLoaderThrottle::
        int frame_tree_node_id)
    : resource_context_(resource_context),
      resource_type_(resource_type),
-      frame_tree_node_id_(frame_tree_node_id) {}
+      frame_tree_node_id_(frame_tree_node_id),
+      weak_factory_(this) {}
 PluginResponseInterceptorURLLoaderThrottle::
    ~PluginResponseInterceptorURLLoaderThrottle() = default;
@@ -78,7 +79,7 @@ void PluginResponseInterceptorURLLoaderThrottle::WillProcessResponse(
          &payload, &data_pipe_size,
          base::BindOnce(
              &PluginResponseInterceptorURLLoaderThrottle::ResumeLoad,
-              base::Unretained(this)));
+              weak_factory_.GetWeakPtr()));
  mojo::DataPipe data_pipe(data_pipe_size);
  uint32_t len = static_cast<uint32_t>(payload.size());

--- a/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.h
+++ b/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.h
@@ -8,6 +8,7 @@
 #include <string>
 #include "base/macros.h"
+#include "base/memory/weak_ptr.h"
 #include "content/public/common/url_loader_throttle.h"
 namespace content {
@@ -44,6 +45,9 @@ class PluginResponseInterceptorURLLoaderThrottle
  const int resource_type_;
  const int frame_tree_node_id_;
+  base::WeakPtrFactory<PluginResponseInterceptorURLLoaderThrottle>
+      weak_factory_;
  DISALLOW_COPY_AND_ASSIGN(PluginResponseInterceptorURLLoaderThrottle);
 };