Fix use-after-disconnect in ResourceBundleFileLoader

Because ResourceBundleFileLoader waits for both a mojo::Remote and mojo::Receiver to disconnect before destroying itself, it's possible for the ResourceBundleFileLoader to still be alive but |client_| to be disconnected. Therefore when ResourceBundleFileLoader::OnMimeTypeRead() runs after |client_| is disconnected, attempts to call |client_| Mojo methods will either DCHECK or crash. Bug: 1156958 Change-Id: I4320c26a75dce2a73509d3b0653c443df0c77ac2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2584725 Auto-Submit: Anand K Mistry <amistry@chromium.org> Reviewed-by: Luciano Pacheco <lucmult@chromium.org> Reviewed-by: Finnur Thorarinsson <finnur@chromium.org> Commit-Queue: Finnur Thorarinsson <finnur@chromium.org> Cr-Commit-Position: refs/heads/master@{#836113}

Fix use-after-disconnect in ResourceBundleFileLoader
Because ResourceBundleFileLoader waits for both a mojo::Remote and mojo::Receiver to disconnect before destroying itself, it's possible for the ResourceBundleFileLoader to still be alive but |client_| to be disconnected. Therefore when ResourceBundleFileLoader::OnMimeTypeRead() runs after |client_| is disconnected, attempts to call |client_| Mojo methods will either DCHECK or crash. Bug: 1156958 Change-Id: I4320c26a75dce2a73509d3b0653c443df0c77ac2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2584725 Auto-Submit: Anand K Mistry <amistry@chromium.org> Reviewed-by: Luciano Pacheco <lucmult@chromium.org> Reviewed-by: Finnur Thorarinsson <finnur@chromium.org> Commit-Queue: Finnur Thorarinsson <finnur@chromium.org> Cr-Commit-Position: refs/heads/master@{#836113}
bf50b286 · Anand K Mistry · Chromium LUCI CQ · 3c1fe4ee · bf50b286
Commit bf50b286 authored Dec 11, 2020 by Anand K Mistry Committed by Chromium LUCI CQ Dec 11, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

chrome/browser/extensions/chrome_url_request_util.cc chrome/browser/extensions/chrome_url_request_util.cc +8 -0

No files found.
--- a/chrome/browser/extensions/chrome_url_request_util.cc
+++ b/chrome/browser/extensions/chrome_url_request_util.cc
@@ -149,6 +149,14 @@ class ResourceBundleFileLoader : public network::mojom::URLLoader {
  void OnMimeTypeRead(scoped_refptr<base::RefCountedMemory> data,
                      std::string* read_mime_type,
                      bool read_result) {
+    if (!client_) {
+      // At this point, it is possible for |client_| to have disconnected, but
+      // the |receiver_| disconnect either hasn't been received, or is pending
+      // in the task queue. If |client_| is disconnected, there's nothing to do
+      // so wait for the |receiver_| disconnect to destroy us.
+      return;
+    }
    auto head = network::mojom::URLResponseHead::New();
    head->request_start = base::TimeTicks::Now();
    head->response_start = base::TimeTicks::Now();