Fixes a use after free in the BadgeService

An instance of the badge service can be moved between different browsers so we should find the delegate/hosted_app as needed instead of storing them at instantiation. Bug: 916904 Change-Id: Ia91875f3342be0bb7b2e7dd1807efd2cdd36206c Reviewed-on: https://chromium-review.googlesource.com/c/1385726 Commit-Queue: Jay Harris <harrisjay@chromium.org> Reviewed-by: Matt Giuca <mgiuca@chromium.org> Cr-Commit-Position: refs/heads/master@{#618380}

Fixes a use after free in the BadgeService
An instance of the badge service can be moved between different browsers so we should find the delegate/hosted_app as needed instead of storing them at instantiation. Bug: 916904 Change-Id: Ia91875f3342be0bb7b2e7dd1807efd2cdd36206c Reviewed-on: https://chromium-review.googlesource.com/c/1385726 Commit-Queue: Jay Harris <harrisjay@chromium.org> Reviewed-by: Matt Giuca <mgiuca@chromium.org> Cr-Commit-Position: refs/heads/master@{#618380}
a0cd397a · Jay Harris · Commit Bot · a3f21077 · a0cd397a · a0cd397a
Commit a0cd397a authored Dec 20, 2018 by Jay Harris Committed by Commit Bot Dec 20, 2018
Showing with 19 additions and 15 deletions

chrome/browser/badging/badge_service_impl.cc chrome/browser/badging/badge_service_impl.cc +19 -9

chrome/browser/badging/badge_service_impl.h chrome/browser/badging/badge_service_impl.h +0 -6

No files found.
--- a/chrome/browser/badging/badge_service_impl.cc
+++ b/chrome/browser/badging/badge_service_impl.cc
@@ -19,6 +19,18 @@
 #include "content/public/browser/web_contents.h"
 #include "extensions/common/extension.h"
+namespace {
+#if !defined(OS_CHROMEOS)
+BadgeServiceDelegate* GetDelegate(content::WebContents* web_contents) {
+  return chrome::FindBrowserWithWebContents(web_contents)
+      ->window()
+      ->GetBadgeServiceDelegate();
+}
+#endif
+}  // namespace
 // static
 void BadgeServiceImpl::Create(blink::mojom::BadgeServiceRequest request,
                              content::RenderFrameHost* render_frame_host) {
@@ -48,7 +60,7 @@ void BadgeServiceImpl::SetBadge(base::Optional<uint64_t> content) {
  if (!IsInApp())
    return;
-  delegate_->SetBadge(web_contents_, content);
+  GetDelegate(web_contents_)->SetBadge(web_contents_, content);
 #endif
 }
@@ -64,7 +76,7 @@ void BadgeServiceImpl::ClearBadge() {
  if (!IsInApp())
    return;
-  delegate_->ClearBadge(web_contents_);
+  GetDelegate(web_contents_)->ClearBadge(web_contents_);
 #endif
 }
@@ -75,14 +87,9 @@ BadgeServiceImpl::BadgeServiceImpl(content::RenderFrameHost* render_frame_host,
      render_frame_host_(render_frame_host) {
  web_contents_ = content::WebContents::FromRenderFrameHost(render_frame_host_);
  browser_context_ = web_contents_->GetBrowserContext();
-  Browser* browser = chrome::FindBrowserWithWebContents(web_contents_);
-  hosted_app_controller_ = browser->hosted_app_controller();
 #if defined(OS_CHROMEOS)
  badge_manager_ = badging::BadgeManagerFactory::GetInstance()->GetForProfile(
      Profile::FromBrowserContext(browser_context_));
-#else
-  delegate_ = browser->window()->GetBadgeServiceDelegate();
 #endif
 }
@@ -96,8 +103,11 @@ const extensions::Extension* BadgeServiceImpl::ExtensionFromLastUrl() {
 }
 bool BadgeServiceImpl::IsInApp() {
-  return hosted_app_controller_ &&
+  extensions::HostedAppBrowserController* hosted_app_controller =
-         extensions::IsSameScope(hosted_app_controller_->GetAppLaunchURL(),
+      chrome::FindBrowserWithWebContents(web_contents_)
+          ->hosted_app_controller();
+  return hosted_app_controller &&
+         extensions::IsSameScope(hosted_app_controller->GetAppLaunchURL(),
                                 web_contents_->GetLastCommittedURL(),
                                 web_contents_->GetBrowserContext());
 }
--- a/chrome/browser/badging/badge_service_impl.h
+++ b/chrome/browser/badging/badge_service_impl.h
@@ -17,15 +17,12 @@ class WebContents;
 namespace extensions {
 class Extension;
-class HostedAppBrowserController;
 }
 #if defined(OS_CHROMEOS)
 namespace badging {
 class BadgeManager;
 }
-#else
-class BadgeServiceDelegate;
 #endif
 // Desktop implementation of the BadgeService mojo service.
@@ -52,11 +49,8 @@ class BadgeServiceImpl
  content::RenderFrameHost* render_frame_host_;
  content::BrowserContext* browser_context_;
  content::WebContents* web_contents_;
-  extensions::HostedAppBrowserController* hosted_app_controller_;
 #if defined(OS_CHROMEOS)
  badging::BadgeManager* badge_manager_;
-#else
-  BadgeServiceDelegate* delegate_;
 #endif
 };