Fix UAF in chrome_pdf::Instance::GetURL()

The instance owns the engine via its engine_ scoped_ptr, so if the engine is being destroyed via the scoped_ptr destructor, it may not be safe to access anything in the instance since the instance may be partially destroyed. Instead, destroy the engine as the first step in the process so the instance is still intact. BUG=392956 Review URL: https://codereview.chromium.org/427583003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@287955 0039d316-1c4b-4281-b951-d872f2087c98

Fix UAF in chrome_pdf::Instance::GetURL()
The instance owns the engine via its engine_ scoped_ptr, so if the engine is being destroyed via the scoped_ptr destructor, it may not be safe to access anything in the instance since the instance may be partially destroyed. Instead, destroy the engine as the first step in the process so the instance is still intact. BUG=392956 Review URL: https://codereview.chromium.org/427583003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@287955 0039d316-1c4b-4281-b951-d872f2087c98
b2aa9cee · tsepez@chromium.org · 82307f6b · b2aa9cee
Commit b2aa9cee authored Aug 07, 2014 by tsepez@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

pdf/instance.cc pdf/instance.cc +3 -0

No files found.
--- a/pdf/instance.cc
+++ b/pdf/instance.cc
@@ -307,6 +307,9 @@ Instance::Instance(PP_Instance instance)
 }

 Instance::~Instance() {
+  // The engine may try to access this instance during its destruction.
+  // Make sure this happens early while the instance is still intact.
+  engine_.reset();
  RemovePerInstanceObject(kPPPPdfInterface, this);
 }