diff options
| author | pliard@chromium.org <pliard@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-01-04 12:57:54 +0000 |
|---|---|---|
| committer | pliard@chromium.org <pliard@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-01-04 12:57:54 +0000 |
| commit | 2939257ab196fee8b3361ce84ececdc6d325d158 (patch) | |
| tree | f3c232b3433298746511c3817e65e3aea2777e73 /.DEPS.git | |
| parent | 18eab2d146b6d158992fa6ddc6a266a2a5264c81 (diff) | |
| download | chromium_src-2939257ab196fee8b3361ce84ececdc6d325d158.zip chromium_src-2939257ab196fee8b3361ce84ececdc6d325d158.tar.gz chromium_src-2939257ab196fee8b3361ce84ececdc6d325d158.tar.bz2 | |
Fix use after free in JavascriptAppModalDialogAndroid.
On Android JavascriptAppModalDialog is implemented with a Java class and its
native counterpart.
The Java class holds a pointer to the native instance. When UI events (e.g.
button click) are processed, the Java side calls a native method (e.g.
JavascriptAppModalDialog::DidAcceptAppModalDialog()). When this native method
completes the instance deletes itself.
This is only correct in case it is guaranteed that no further native method
call is performed by the Java side since the pointer was freed.
The problem is that this can happen in some rare circumstances. For instance
the user could manage to click on two buttons before the dialog is closed which
might happen if the first click event is not processed immediately or takes a
long time to be processed.
This CL fixes the crash by invalidating the native pointer on the Java side
when it is deleted so that the Java side can perform a native method call only
if the native instance pointer is still valid.
BUG=167585
Review URL: https://codereview.chromium.org/11728004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@175139 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to '.DEPS.git')
0 files changed, 0 insertions, 0 deletions