Fix a crash in the NPAPI plugin code which occurs after we call the plugins window proc.

The crash occurs while dereferencing the WebPluginDelegateImpl instance after the CallWindowProc call. It appears
that the plugin instance was destroyed in this context.

Attempted fix is to check if the HWND is still valid before dereferencing the instance. Theory being that if the instance
is destroyed, the HWND will also be destroyed via WindowedDestroyWindow

BUG=276339
R=jam@chromium.org, jam

Review URL: https://codereview.chromium.org/105683004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@239040 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 9 insertions, 2 deletions

diff --git a/content/child/npapi/webplugin_delegate_impl_win.cc b/content/child/npapi/webplugin_delegate_impl_win.cc
index 2cc8939..73bb442 100644
--- a/content/child/npapi/webplugin_delegate_impl_win.cc
+++ b/content/child/npapi/webplugin_delegate_impl_win.cc
@@ -1022,7 +1022,13 @@ LRESULT CALLBACK WebPluginDelegateImpl::NativeWndProc(
     result = CallWindowProc(
         delegate->plugin_wnd_proc_, hwnd, message, wparam, lparam);
 
-    delegate->is_calling_wndproc = false;
+    // The plugin instance may have been destroyed in the CallWindowProc call
+    // above. This will also destroy the plugin window. Before attempting to
+    // access the WebPluginDelegateImpl instance we validate if the window is
+    // still valid.
+    if (::IsWindow(hwnd))
+      delegate->is_calling_wndproc = false;
+
     g_current_plugin_instance = last_plugin_instance;
 
     if (message == WM_NCDESTROY) {
@@ -1038,7 +1044,8 @@ LRESULT CALLBACK WebPluginDelegateImpl::NativeWndProc(
       ClearThrottleQueueForWindow(hwnd);
     }
   }
-  delegate->last_message_ = old_message;
+  if (::IsWindow(hwnd))
+    delegate->last_message_ = old_message;
   return result;
 }