diff options
| author | tony@chromium.org <tony@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-24 00:23:41 +0000 |
|---|---|---|
| committer | tony@chromium.org <tony@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-24 00:23:41 +0000 |
| commit | a9768f7049274a7e18504226fe411a562ca2fec3 (patch) | |
| tree | fd3738ecd847d6aa248bc165fec6b2d2ff3e6b30 | |
| parent | 147167becd3bc65698ad8122461449256fbb7362 (diff) | |
| download | chromium_src-a9768f7049274a7e18504226fe411a562ca2fec3.zip chromium_src-a9768f7049274a7e18504226fe411a562ca2fec3.tar.gz chromium_src-a9768f7049274a7e18504226fe411a562ca2fec3.tar.bz2 | |
Fix a crash when the content type of a multipart request
changes to a content type that we ignore the load of.
For example, if the content type of a multipart request changes
from text/html to foo/bar, we would crash because we would
delete the multipart delegate while it was still on the stack.
BUG=47105
Review URL: http://codereview.chromium.org/2850023
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@50676 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | webkit/glue/multipart_response_delegate.cc | 10 | ||||
| -rw-r--r-- | webkit/glue/multipart_response_delegate.h | 6 | ||||
| -rw-r--r-- | webkit/glue/weburlloader_impl.cc | 3 |
3 files changed, 14 insertions, 5 deletions
diff --git a/webkit/glue/multipart_response_delegate.cc b/webkit/glue/multipart_response_delegate.cc index 1b68064..d7c8c29 100644 --- a/webkit/glue/multipart_response_delegate.cc +++ b/webkit/glue/multipart_response_delegate.cc @@ -125,7 +125,7 @@ void MultipartResponseDelegate::OnReceivedData(const char* data, size_t boundary_pos; while ((boundary_pos = FindBoundary()) != std::string::npos) { - if (boundary_pos > 0) { + if (boundary_pos > 0 && client_) { // Send the last data chunk. client_->didReceiveData(loader_, data_.data(), @@ -158,7 +158,8 @@ void MultipartResponseDelegate::OnReceivedData(const char* data, int send_length = data_.length() - boundary_.length(); if (data_[data_.length() - 1] == '\n') send_length = data_.length(); - client_->didReceiveData(loader_, data_.data(), send_length); + if (client_) + client_->didReceiveData(loader_, data_.data(), send_length); data_ = data_.substr(send_length); } } @@ -166,7 +167,7 @@ void MultipartResponseDelegate::OnReceivedData(const char* data, void MultipartResponseDelegate::OnCompletedRequest() { // If we have any pending data and we're not in a header, go ahead and send // it to WebCore. - if (!processing_headers_ && !data_.empty()) { + if (!processing_headers_ && !data_.empty() && !stop_sending_ && client_) { client_->didReceiveData(loader_, data_.data(), static_cast<int>(data_.length())); @@ -247,7 +248,8 @@ bool MultipartResponseDelegate::ParseHeaders() { response.setIsMultipartPayload(has_sent_first_response_); has_sent_first_response_ = true; // Send the response! - client_->didReceiveResponse(loader_, response); + if (client_) + client_->didReceiveResponse(loader_, response); return true; } diff --git a/webkit/glue/multipart_response_delegate.h b/webkit/glue/multipart_response_delegate.h index 268999b..aded54a 100644 --- a/webkit/glue/multipart_response_delegate.h +++ b/webkit/glue/multipart_response_delegate.h @@ -75,6 +75,12 @@ class MultipartResponseDelegate { void OnReceivedData(const char* data, int data_len); void OnCompletedRequest(); + // The request has been canceled, so stop making calls to the client. + void Cancel() { + client_ = NULL; + loader_ = NULL; + } + // Returns the multi part boundary string from the Content-type header // in the response. // Returns true on success. diff --git a/webkit/glue/weburlloader_impl.cc b/webkit/glue/weburlloader_impl.cc index 4261f0f..8800d6a9 100644 --- a/webkit/glue/weburlloader_impl.cc +++ b/webkit/glue/weburlloader_impl.cc @@ -270,7 +270,8 @@ void WebURLLoaderImpl::Context::Cancel() { // Ensure that we do not notify the multipart delegate anymore as it has // its own pointer to the client. - multipart_delegate_.reset(); + if (multipart_delegate_.get()) + multipart_delegate_->Cancel(); // Do not make any further calls to the client. client_ = NULL; |