diff options
| author | shess@chromium.org <shess@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-02-18 01:51:16 +0000 |
|---|---|---|
| committer | shess@chromium.org <shess@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-02-18 01:51:16 +0000 |
| commit | 1c18390fe5f0cc8b3126244c943a587805017357 (patch) | |
| tree | 6001f4c8b0bdf4357baa2a4feb9957e4c7ec39f5 | |
| parent | 22362996acd8587829db61000936bfa050ff644e (diff) | |
| download | chromium_src-1c18390fe5f0cc8b3126244c943a587805017357.zip chromium_src-1c18390fe5f0cc8b3126244c943a587805017357.tar.gz chromium_src-1c18390fe5f0cc8b3126244c943a587805017357.tar.bz2 | |
Merge to 1025 122430 - Clear statement before closing db in cookie code.
sql::Statement maintains a weak ref to the associated sql::Connection,
meaning that if the database and statement are destructed in the wrong
order, a use-after-free can result. sql::Statement::Clear() allows
resetting the statement to the default-constructed state.
BUG=111376
TEST=fewer crashes.
Review URL: http://codereview.chromium.org/9418021
TBR=shess@chromium.org
Review URL: https://chromiumcodereview.appspot.com/9425027
git-svn-id: svn://svn.chromium.org/chrome/branches/1025/src@122663 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/browser/net/sqlite_persistent_cookie_store.cc | 7 | ||||
| -rw-r--r-- | sql/statement.cc | 5 | ||||
| -rw-r--r-- | sql/statement.h | 4 |
3 files changed, 13 insertions, 3 deletions
diff --git a/chrome/browser/net/sqlite_persistent_cookie_store.cc b/chrome/browser/net/sqlite_persistent_cookie_store.cc index de1b849..474be40 100644 --- a/chrome/browser/net/sqlite_persistent_cookie_store.cc +++ b/chrome/browser/net/sqlite_persistent_cookie_store.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -566,7 +566,7 @@ void SQLitePersistentCookieStore::Backend::ChainLoadCookies( BrowserThread::IO, FROM_HERE, base::Bind(&SQLitePersistentCookieStore::Backend::CompleteLoadOnIOThread, this, loaded_callback, load_success)); - if (!restore_old_session_cookies_) + if (load_success && !restore_old_session_cookies_) DeleteSessionCookies(); } } @@ -589,8 +589,9 @@ bool SQLitePersistentCookieStore::Backend::LoadCookiesForDomains( "secure, httponly, last_access_utc, has_expires, persistent " "FROM cookies WHERE host_key = ? AND persistent = 1")); } - if (!smt) { + if (!smt.is_valid()) { NOTREACHED() << "select statement prep failed"; + smt.Clear(); // Disconnect smt_ref from db_. db_.reset(); return false; } diff --git a/sql/statement.cc b/sql/statement.cc index a5daae4..decdb68 100644 --- a/sql/statement.cc +++ b/sql/statement.cc @@ -35,6 +35,11 @@ void Statement::Assign(scoped_refptr<Connection::StatementRef> ref) { ref_ = ref; } +void Statement::Clear() { + Assign(new Connection::StatementRef); + succeeded_ = false; +} + bool Statement::CheckValid() const { if (!is_valid()) DLOG(FATAL) << "Cannot call mutating statements on an invalid statement."; diff --git a/sql/statement.h b/sql/statement.h index c7e2c40..0c58e3a 100644 --- a/sql/statement.h +++ b/sql/statement.h @@ -55,6 +55,10 @@ class SQL_EXPORT Statement { // be valid. Use is_valid() to check if it's OK. void Assign(scoped_refptr<Connection::StatementRef> ref); + // Resets the statement to an uninitialized state corrosponding to + // the default constructor, releasing the StatementRef. + void Clear(); + // Returns true if the statement can be executed. All functions can still // be used if the statement is invalid, but they will return failure or some // default value. This is because the statement can become invalid in the |