fix use after free case in VideoCaptureImpl.

It's possible client returns buffer after cached_dibs_ are freed. Also fix a copy&paste error. BUG=133096 TEST=the pages in bug 133096 do not crash. Review URL: https://chromiumcodereview.appspot.com/10748018 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@146044 0039d316-1c4b-4281-b951-d872f2087c98

fix use after free case in VideoCaptureImpl.
It's possible client returns buffer after cached_dibs_ are freed. Also fix a copy&paste error. BUG=133096 TEST=the pages in bug 133096 do not crash. Review URL: https://chromiumcodereview.appspot.com/10748018 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@146044 0039d316-1c4b-4281-b951-d872f2087c98
c44e5c80 · wjia@chromium.org · f8b3c22b · c44e5c80
Commit c44e5c80 authored Jul 11, 2012 by wjia@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 6 deletions

content/renderer/media/video_capture_impl.cc content/renderer/media/video_capture_impl.cc +7 -6

No files found.
--- a/content/renderer/media/video_capture_impl.cc
+++ b/content/renderer/media/video_capture_impl.cc
@@ -227,7 +227,7 @@ void VideoCaptureImpl::DoStopCapture(
  if (it != clients_pending_on_restart_.end()) {
    handler->OnStopped(this);
    handler->OnRemoved(this);
-    clients_pending_on_filter_.erase(it);
+    clients_pending_on_restart_.erase(it);
    return;
  }
@@ -253,11 +253,12 @@ void VideoCaptureImpl::DoFeedBuffer(scoped_refptr<VideoFrameBuffer> buffer) {
      break;
  }
-  DCHECK(it != cached_dibs_.end());
+  if (it != cached_dibs_.end() && it->second) {
-  DCHECK_GT(it->second->references, 0);
+    DCHECK_GT(it->second->references, 0);
-  it->second->references--;
+    it->second->references--;
-  if (it->second->references == 0) {
+    if (it->second->references == 0) {
-    Send(new VideoCaptureHostMsg_BufferReady(device_id_, it->first));
+      Send(new VideoCaptureHostMsg_BufferReady(device_id_, it->first));
+    }
  }
 }