[Extensions] Fix use-after-free in the developer private API.

BUG=482112 Review URL: https://codereview.chromium.org/1112693002 Cr-Commit-Position: refs/heads/master@{#327373}

[Extensions] Fix use-after-free in the developer private API.
BUG=482112 Review URL: https://codereview.chromium.org/1112693002 Cr-Commit-Position: refs/heads/master@{#327373}
7d1acb93 · rdevlin.cronin · Commit bot · 820c0714 · 7d1acb93
Commit 7d1acb93 authored Apr 28, 2015 by rdevlin.cronin Committed by Commit bot Apr 28, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 4 deletions

chrome/browser/extensions/api/developer_private/extension_info_generator.cc ...ensions/api/developer_private/extension_info_generator.cc +5 -4

No files found.
--- a/chrome/browser/extensions/api/developer_private/extension_info_generator.cc
+++ b/chrome/browser/extensions/api/developer_private/extension_info_generator.cc
@@ -508,12 +508,13 @@ void ExtensionInfoGenerator::OnImageLoaded(
  --pending_image_loads_;
  if (pending_image_loads_ == 0) {  // All done!
-    // We assign to a temporary and Reset() so that at the end of the method,
+    // We assign to a temporary callback and list and reset the stored values so
-    // any stored refs are destroyed.
+    // that at the end of the method, any stored refs are destroyed.
+    ExtensionInfoList list;
+    list.swap(list_);
    ExtensionInfosCallback callback = callback_;
    callback_.Reset();
-    callback.Run(list_);
+    callback.Run(list);  // WARNING: |this| is possibly deleted after this line!
-    list_.clear();
  }
 }