Android: Fix a WebContents UAF exception

Removes unnecessary indirection through WebContentsImpl for Activity instance, which may access it after destruction. We already have a null check for safe access to content layer in native ContextMenuHelper (when getting RenderFrameHost in CMH::RetrieveImageInternal) we can rely on, in case the WebContents gets destroyed before the context menu action is performed. Bug: 915953 Change-Id: I508f07f664b3d09bfba35748ba30afae991aae00 Reviewed-on: https://chromium-review.googlesource.com/c/1382712 Commit-Queue: Jinsuk Kim <jinsukkim@chromium.org> Reviewed-by: Theresa <twellington@chromium.org> Cr-Commit-Position: refs/heads/master@{#618408}

Android: Fix a WebContents UAF exception
Removes unnecessary indirection through WebContentsImpl for Activity instance, which may access it after destruction. We already have a null check for safe access to content layer in native ContextMenuHelper (when getting RenderFrameHost in CMH::RetrieveImageInternal) we can rely on, in case the WebContents gets destroyed before the context menu action is performed. Bug: 915953 Change-Id: I508f07f664b3d09bfba35748ba30afae991aae00 Reviewed-on: https://chromium-review.googlesource.com/c/1382712 Commit-Queue: Jinsuk Kim <jinsukkim@chromium.org> Reviewed-by: Theresa <twellington@chromium.org> Cr-Commit-Position: refs/heads/master@{#618408}
f47e3f84 · Jinsuk Kim · Commit Bot · db739361 · f47e3f84
Commit f47e3f84 authored Dec 21, 2018 by Jinsuk Kim Committed by Commit Bot Dec 21, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 7 deletions

chrome/android/java/src/org/chromium/chrome/browser/contextmenu/ContextMenuHelper.java ...hromium/chrome/browser/contextmenu/ContextMenuHelper.java +6 -7

No files found.
--- a/chrome/android/java/src/org/chromium/chrome/browser/contextmenu/ContextMenuHelper.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/contextmenu/ContextMenuHelper.java
@@ -205,8 +205,10 @@ public class ContextMenuHelper implements OnCreateContextMenuListener {

    /**
     * Share the image that triggered the current context menu.
+     * Package-private, allowing access only from the context menu item to ensure that
+     * it will use the right activity set when the menu was displayed.
     */
-    public void shareImage() {
+    void shareImage() {
        shareImageDirectly(null);
    }

@@ -214,17 +216,14 @@ public class ContextMenuHelper implements OnCreateContextMenuListener {
     * Share image triggered with the current context menu directly with a specific app.
     * @param name The {@link ComponentName} of the app to share the image directly with.
     */
-    public void shareImageDirectly(@Nullable final ComponentName name) {
+    private void shareImageDirectly(@Nullable final ComponentName name) {
        if (mNativeContextMenuHelper == 0) return;
        Callback<byte[]> callback = new Callback<byte[]>() {
            @Override
            public void onResult(byte[] result) {
-                WindowAndroid windowAndroid = mWebContents.getTopLevelNativeWindow();
+                if (mActivity == null) return;

-                Activity activity = windowAndroid.getActivity().get();
-                if (activity == null) return;
-
-                ShareHelper.shareImage(activity, result, name);
+                ShareHelper.shareImage(mActivity, result, name);
            }
        };
        nativeRetrieveImageForShare(