diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-03 23:21:38 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-03 23:21:38 +0000 |
| commit | 5f8cbd5751a4d2ef52974fa4b4f7ab9943db07d1 (patch) | |
| tree | cf5f48b13de4cce957189db1ef70f6d70d6ef44b | |
| parent | f4b7ffb48f3209816e2c5eb87833cc22377c9404 (diff) | |
| download | chromium_src-5f8cbd5751a4d2ef52974fa4b4f7ab9943db07d1.zip chromium_src-5f8cbd5751a4d2ef52974fa4b4f7ab9943db07d1.tar.gz chromium_src-5f8cbd5751a4d2ef52974fa4b4f7ab9943db07d1.tar.bz2 | |
This fixes bug http://code.google.com/p/chromium/issues/detail?id=3907, which
was a crash in the browser in the IPC handler codepath which handles scrolling.
The crash occured because of a failure to find the backing store for the RenderWidgetHost instance. We would end up dereferencing a NULL backing store pointer and crash.
The fix for this is to check for a NULL backing store and return.
R=darin
Bug=3907
Review URL: http://codereview.chromium.org/9056
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@4517 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/browser/render_widget_host.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chrome/browser/render_widget_host.cc b/chrome/browser/render_widget_host.cc index 281d6aa46..055d376 100644 --- a/chrome/browser/render_widget_host.cc +++ b/chrome/browser/render_widget_host.cc @@ -788,7 +788,7 @@ void RenderWidgetHost::ScrollRect(HANDLE bitmap, const gfx::Rect& bitmap_rect, // the same size as the advertised view? maybe we just assume there is a // full paint on its way? BackingStore* backing_store = BackingStoreManager::Lookup(this); - if (backing_store && backing_store->size() != view_size) + if (!backing_store || (backing_store->size() != view_size)) return; RECT damaged_rect, r = clip_rect.ToRECT(); |