summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJüri Valdmann <juri.valdmann@qt.io>2020-02-26 10:08:05 +0100
committerJüri Valdmann <juri.valdmann@qt.io>2020-02-26 14:10:25 +0100
commit2d8d15047fdbf046cdee9fba103587c19808d7d2 (patch)
treed2f3047ed3002706ce5b11647d41bf720a5ef1e4
parent6adf1bf7162185d1f57f0a25226dec8e27520673 (diff)
Fix use-after-free in CustomURLLoader
Change-Id: I06e6622cc0e59674be975f43b82fafa2e7a05edd Reviewed-by: Kirill Burtsev <kirill.burtsev@qt.io>
-rw-r--r--src/core/net/custom_url_loader_factory.cpp27
1 files changed, 14 insertions, 13 deletions
diff --git a/src/core/net/custom_url_loader_factory.cpp b/src/core/net/custom_url_loader_factory.cpp
index 555eccf42..239494ce9 100644
--- a/src/core/net/custom_url_loader_factory.cpp
+++ b/src/core/net/custom_url_loader_factory.cpp
@@ -269,15 +269,15 @@ private:
m_client->OnReceiveResponse(m_head);
m_client->OnStartLoadingResponseBody(std::move(m_pipe.consumer_handle));
- readAvailableData();
- if (m_device) {
- m_watcher = std::make_unique<mojo::SimpleWatcher>(
- FROM_HERE, mojo::SimpleWatcher::ArmingPolicy::AUTOMATIC, m_taskRunner);
- m_watcher->Watch(m_pipe.producer_handle.get(), MOJO_HANDLE_SIGNAL_WRITABLE,
- MOJO_WATCH_CONDITION_SATISFIED,
- base::BindRepeating(&CustomURLLoader::notifyReadyWrite,
- m_weakPtrFactory.GetWeakPtr()));
- }
+ if (readAvailableData()) // May delete this
+ return;
+
+ m_watcher = std::make_unique<mojo::SimpleWatcher>(
+ FROM_HERE, mojo::SimpleWatcher::ArmingPolicy::AUTOMATIC, m_taskRunner);
+ m_watcher->Watch(m_pipe.producer_handle.get(), MOJO_HANDLE_SIGNAL_WRITABLE,
+ MOJO_WATCH_CONDITION_SATISFIED,
+ base::BindRepeating(&CustomURLLoader::notifyReadyWrite,
+ m_weakPtrFactory.GetWeakPtr()));
}
void notifyCanceled() override
{
@@ -334,7 +334,7 @@ private:
}
readAvailableData();
}
- void readAvailableData()
+ bool readAvailableData()
{
DCHECK(m_taskRunner->RunsTasksInCurrentSequence());
for (;;) {
@@ -346,7 +346,7 @@ private:
MojoResult beginResult = m_pipe.producer_handle->BeginWriteData(
&buffer, &bufferSize, MOJO_BEGIN_WRITE_DATA_FLAG_NONE);
if (beginResult == MOJO_RESULT_SHOULD_WAIT)
- return; // Wait for pipe watcher
+ return false; // Wait for pipe watcher
if (beginResult != MOJO_RESULT_OK)
break;
@@ -358,16 +358,17 @@ private:
if (m_device->atEnd()) {
OnTransferComplete(MOJO_RESULT_OK);
- return;
+ return true; // Done with reading
}
if (readResult == 0)
- return; // Wait for readyRead
+ return false; // Wait for readyRead
if (readResult < 0)
break;
}
CompleteWithFailure(m_error ? net::Error(m_error) : net::ERR_FAILED);
+ return true; // Done with reading
}
base::TaskRunner *taskRunner() override
{