Fix potential use-after-free in ephemeral_app_launcher.cc and webstore_install_with_prompt.cc

This CL fixes use-after-frees which occur if the app list is dismissed quickly after an install is initiated. The use-after-free is easy to reproduce with a slow internet connection. BUG=422814 TEST=None Review URL: https://codereview.chromium.org/711633002 Cr-Commit-Position: refs/heads/master@{#304071}
author: pkotwicz <pkotwicz@chromium.org> 2014-11-13 12:28:08 -0800
committer: Commit bot <commit-bot@chromium.org> 2014-11-13 20:28:29 +0000
commit: 2052bb4652dda8706ce319bf211f9589ed928ee7 (patch)
tree: b27583a435e30fdc4a807000b9b460b9df64bdb4
parent: b2f30412e18f8ec84f50bcb0af5e78bc1aaf5bc7 (diff)
download: chromium_src-2052bb4652dda8706ce319bf211f9589ed928ee7.zip
chromium_src-2052bb4652dda8706ce319bf211f9589ed928ee7.tar.gz
chromium_src-2052bb4652dda8706ce319bf211f9589ed928ee7.tar.bz2
4 files changed, 22 insertions, 4 deletions
diff --git a/chrome/browser/apps/ephemeral_app_launcher.cc b/chrome/browser/apps/ephemeral_app_launcher.cc
index 90f423f..a1f516b 100644
--- a/chrome/browser/apps/ephemeral_app_launcher.cc
+++ b/chrome/browser/apps/ephemeral_app_launcher.cc
@@ -13,6 +13,7 @@
 #include "chrome/browser/ui/browser_navigator.h"
 #include "chrome/browser/ui/extensions/application_launch.h"
 #include "chrome/browser/ui/extensions/extension_enable_flow.h"
+#include "chrome/browser/ui/native_window_tracker.h"
 #include "chrome/browser/ui/scoped_tabbed_browser_displayer.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/extensions/manifest_handlers/app_launch_info.h"
@@ -163,6 +164,8 @@ EphemeralAppLauncher::EphemeralAppLauncher(const std::string& webstore_item_id,
       parent_window_(parent_window),
       dummy_web_contents_(
           WebContents::Create(WebContents::CreateParams(profile))) {
+   if (parent_window_)
+     parent_window_tracker_ = NativeWindowTracker::Create(parent_window);
 }
 
 EphemeralAppLauncher::EphemeralAppLauncher(const std::string& webstore_item_id,
@@ -353,7 +356,14 @@ void EphemeralAppLauncher::InitInstallData(
 }
 
 bool EphemeralAppLauncher::CheckRequestorAlive() const {
-  return dummy_web_contents_.get() != NULL || web_contents() != NULL;
+  if (!parent_window_) {
+    // Assume the requestor is always alive if |parent_window_| is null.
+    return true;
+  }
+
+  return (web_contents() != nullptr ||
+          (parent_window_tracker_ &&
+              !parent_window_tracker_->WasNativeWindowClosed()));
 }
 
 const GURL& EphemeralAppLauncher::GetRequestorURL() const {
diff --git a/chrome/browser/apps/ephemeral_app_launcher.h b/chrome/browser/apps/ephemeral_app_launcher.h
index 04927b5..39a6c18 100644
--- a/chrome/browser/apps/ephemeral_app_launcher.h
+++ b/chrome/browser/apps/ephemeral_app_launcher.h
@@ -16,6 +16,7 @@
 #include "content/public/browser/web_contents_observer.h"
 
 class ExtensionEnableFlow;
+class NativeWindowTracker;
 class Profile;
 
 namespace content {
@@ -143,6 +144,7 @@ class EphemeralAppLauncher : public extensions::WebstoreStandaloneInstaller,
   LaunchCallback launch_callback_;
 
   gfx::NativeWindow parent_window_;
+  scoped_ptr<NativeWindowTracker> parent_window_tracker_;
   scoped_ptr<content::WebContents> dummy_web_contents_;
 
   scoped_ptr<ExtensionEnableFlow> extension_enable_flow_;
diff --git a/chrome/browser/extensions/webstore_install_with_prompt.cc b/chrome/browser/extensions/webstore_install_with_prompt.cc
index f66acc1..b0ddf40 100644
--- a/chrome/browser/extensions/webstore_install_with_prompt.cc
+++ b/chrome/browser/extensions/webstore_install_with_prompt.cc
@@ -34,7 +34,8 @@ WebstoreInstallWithPrompt::WebstoreInstallWithPrompt(
       dummy_web_contents_(
           WebContents::Create(WebContents::CreateParams(profile))),
       parent_window_(parent_window) {
-  DCHECK(parent_window);
+  if (parent_window_)
+    parent_window_tracker_ = NativeWindowTracker::Create(parent_window);
   set_install_source(WebstoreInstaller::INSTALL_SOURCE_OTHER);
 }
 
@@ -42,8 +43,11 @@ WebstoreInstallWithPrompt::~WebstoreInstallWithPrompt() {
 }
 
 bool WebstoreInstallWithPrompt::CheckRequestorAlive() const {
-  // Assume the requestor is always alive.
-  return true;
+  if (!parent_window_) {
+    // Assume the requestor is always alive if |parent_window_| is null.
+    return true;
+  }
+  return !parent_window_tracker_->WasNativeWindowClosed();
 }
 
 const GURL& WebstoreInstallWithPrompt::GetRequestorURL() const {
diff --git a/chrome/browser/extensions/webstore_install_with_prompt.h b/chrome/browser/extensions/webstore_install_with_prompt.h
index 189ec97..7166d58 100644
--- a/chrome/browser/extensions/webstore_install_with_prompt.h
+++ b/chrome/browser/extensions/webstore_install_with_prompt.h
@@ -8,6 +8,7 @@
 #include "base/basictypes.h"
 #include "base/memory/scoped_ptr.h"
 #include "chrome/browser/extensions/webstore_standalone_installer.h"
+#include "chrome/browser/ui/native_window_tracker.h"
 #include "ui/gfx/native_widget_types.h"
 #include "url/gurl.h"
 
@@ -71,6 +72,7 @@ class WebstoreInstallWithPrompt : public WebstoreStandaloneInstaller {
   scoped_ptr<content::WebContents> dummy_web_contents_;
 
   gfx::NativeWindow parent_window_;
+  scoped_ptr<NativeWindowTracker> parent_window_tracker_;
 
   DISALLOW_COPY_AND_ASSIGN(WebstoreInstallWithPrompt);
 };
author	pkotwicz <pkotwicz@chromium.org>	2014-11-13 12:28:08 -0800
committer	Commit bot <commit-bot@chromium.org>	2014-11-13 20:28:29 +0000
commit	2052bb4652dda8706ce319bf211f9589ed928ee7 (patch)
tree	b27583a435e30fdc4a807000b9b460b9df64bdb4
parent	b2f30412e18f8ec84f50bcb0af5e78bc1aaf5bc7 (diff)
download	chromium_src-2052bb4652dda8706ce319bf211f9589ed928ee7.zip chromium_src-2052bb4652dda8706ce319bf211f9589ed928ee7.tar.gz chromium_src-2052bb4652dda8706ce319bf211f9589ed928ee7.tar.bz2