diff options
author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-03-03 15:24:34 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-03-03 14:48:36 +0000 |
commit | cbe3845eff59c2d1726ed3dc0f934f7f483a1271 (patch) | |
tree | 26bb07b7ad34e35e2788e742fcff3830d02aacb4 | |
parent | 4dffa3de9a67d4aa9298475a039cb8027e97f381 (diff) |
[Backport] Don't call WebContents::DownloadImage() callback if the WebContents were deletedv5.6.0
BUG=583718
Review URL: https://codereview.chromium.org/1685343004
(CVE-2016-1641)
Change-Id: Ifa7d046c7f4e48336ee8d1a220ea91a64e76c4d0
Reviewed-by: Michael BrĂ¼ning <michael.bruning@theqtcompany.com>
-rw-r--r-- | chromium/content/browser/web_contents/web_contents_impl.cc | 47 | ||||
-rw-r--r-- | chromium/content/browser/web_contents/web_contents_impl.h | 7 |
2 files changed, 32 insertions, 22 deletions
diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc index f734fc86cfd..b3eeefece37 100644 --- a/chromium/content/browser/web_contents/web_contents_impl.cc +++ b/chromium/content/browser/web_contents/web_contents_impl.cc @@ -139,21 +139,6 @@ const char kWebContentsAndroidKey[] = "web_contents_android"; base::LazyInstance<std::vector<WebContentsImpl::CreatedCallback> > g_created_callbacks = LAZY_INSTANCE_INITIALIZER; -static void DidDownloadImage(const WebContents::ImageDownloadCallback& callback, - int id, - const GURL& image_url, - image_downloader::DownloadResultPtr result) { - DCHECK(result); - - const std::vector<SkBitmap> images = - result->images.To<std::vector<SkBitmap>>(); - const std::vector<gfx::Size> original_image_sizes = - result->original_image_sizes.To<std::vector<gfx::Size>>(); - - callback.Run(id, result->http_status_code, image_url, images, - original_image_sizes); -} - void NotifyCacheOnIO( scoped_refptr<net::URLRequestContextGetter> request_context, const GURL& url, @@ -391,7 +376,8 @@ WebContentsImpl::WebContentsImpl(BrowserContext* browser_context) accessibility_mode_( BrowserAccessibilityStateImpl::GetInstance()->accessibility_mode()), virtual_keyboard_requested_(false), - loading_weak_factory_(this) { + loading_weak_factory_(this), + weak_factory_(this) { frame_tree_.SetFrameRemoveListener( base::Bind(&WebContentsImpl::OnFrameRemoved, base::Unretained(this))); @@ -2636,12 +2622,14 @@ int WebContentsImpl::DownloadImage( // Android), the downloader service will be invalid. Pre-Mojo, this would // hang the callback indefinetly since the IPC would be dropped. Now, // respond with a 400 HTTP error code to indicate that something went wrong. + image_downloader::DownloadResultPtr result = + image_downloader::DownloadResult::New(); + result->http_status_code = 400; BrowserThread::PostTask( BrowserThread::UI, FROM_HERE, - base::Bind(&WebContents::ImageDownloadCallback::Run, - base::Owned(new ImageDownloadCallback(callback)), - download_id, 400, url, std::vector<SkBitmap>(), - std::vector<gfx::Size>())); + base::Bind(&WebContentsImpl::OnDidDownloadImage, + weak_factory_.GetWeakPtr(), callback, download_id, url, + base::Passed(&result))); return download_id; } @@ -2654,8 +2642,9 @@ int WebContentsImpl::DownloadImage( req->bypass_cache = bypass_cache; mojo_image_downloader->DownloadImage( - req.Pass(), - base::Bind(&DidDownloadImage, callback, download_id, url)); + req.Pass(), base::Bind(&WebContentsImpl::OnDidDownloadImage, + weak_factory_.GetWeakPtr(), callback, + download_id, url)); return download_id; } @@ -4374,6 +4363,20 @@ bool WebContentsImpl::GetAllowOtherViews() { #endif +void WebContentsImpl::OnDidDownloadImage( + const ImageDownloadCallback& callback, + int id, + const GURL& image_url, + image_downloader::DownloadResultPtr result) { + const std::vector<SkBitmap> images = + result->images.To<std::vector<SkBitmap>>(); + const std::vector<gfx::Size> original_image_sizes = + result->original_image_sizes.To<std::vector<gfx::Size>>(); + + callback.Run(id, result->http_status_code, image_url, images, + original_image_sizes); +} + void WebContentsImpl::OnDialogClosed(int render_process_id, int render_frame_id, IPC::Message* reply_msg, diff --git a/chromium/content/browser/web_contents/web_contents_impl.h b/chromium/content/browser/web_contents/web_contents_impl.h index b78fff049f2..6062bb0610e 100644 --- a/chromium/content/browser/web_contents/web_contents_impl.h +++ b/chromium/content/browser/web_contents/web_contents_impl.h @@ -779,6 +779,12 @@ class CONTENT_EXPORT WebContentsImpl // all the unique RenderWidgetHostViews. std::set<RenderWidgetHostView*> GetRenderWidgetHostViewsInTree(); + // Called with the result of a DownloadImage() request. + void OnDidDownloadImage(const ImageDownloadCallback& callback, + int id, + const GURL& image_url, + image_downloader::DownloadResultPtr result); + // Callback function when showing JavaScript dialogs. Takes in a routing ID // pair to identify the RenderFrameHost that opened the dialog, because it's // possible for the RenderFrameHost to be deleted by the time this is called. @@ -1281,6 +1287,7 @@ class CONTENT_EXPORT WebContentsImpl #endif base::WeakPtrFactory<WebContentsImpl> loading_weak_factory_; + base::WeakPtrFactory<WebContentsImpl> weak_factory_; DISALLOW_COPY_AND_ASSIGN(WebContentsImpl); }; |