Fix use after free in ChromeURLDataManagerBackend::StartRequest.

BUG=170683


Review URL: https://chromiumcodereview.appspot.com/11969046

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@177512 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 1 deletions

diff --git a/chrome/browser/ui/webui/chrome_url_data_manager_backend.cc b/chrome/browser/ui/webui/chrome_url_data_manager_backend.cc
index 86c7e2f..25608d2 100644
--- a/chrome/browser/ui/webui/chrome_url_data_manager_backend.cc
+++ b/chrome/browser/ui/webui/chrome_url_data_manager_backend.cc
@@ -525,13 +525,16 @@ bool ChromeURLDataManagerBackend::StartRequest(const GURL& url,
   MessageLoop* target_message_loop =
       source->source()->MessageLoopForRequestPath(path);
   if (!target_message_loop) {
+    bool is_incognito = job->is_incognito();
     job->MimeTypeAvailable(source->source()->GetMimeType(path));
+    // Eliminate potentially dangling pointer to avoid future use.
+    job = NULL;
 
     // The DataSource is agnostic to which thread StartDataRequest is called
     // on for this path.  Call directly into it from this thread, the IO
     // thread.
     source->source()->StartDataRequest(
-        path, job->is_incognito(),
+        path, is_incognito,
         base::Bind(&URLDataSourceImpl::SendResponse, source, request_id));
   } else {
     // URLRequestChromeJob should receive mime type before data. This