Merge 282729 "Fix use-after-free of ChildSharedBitmapManager"

> Fix use-after-free of ChildSharedBitmapManager > > Callbacks can cause the ChildSharedBitmapManager to be used after the compositor is gone, so pass the ThreadSafeSender (which is refcounted) to the callbacks instead. > > BUG=390563 > > Review URL: https://codereview.chromium.org/382133002 TBR=jbauman@chromium.org Review URL: https://codereview.chromium.org/390203002 git-svn-id: svn://svn.chromium.org/chrome/branches/2062/src@283044 0039d316-1c4b-4281-b951-d872f2087c98
author: jbauman@chromium.org <jbauman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-07-14 22:06:23 +0000
committer: jbauman@chromium.org <jbauman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-07-14 22:06:23 +0000
commit: ae78c4e752cd14ef716c71e5334434d161cf4818 (patch)
tree: 58ba5388669fc49d2297b422fa506e4887e91460
parent: ce290bc26b9e9f05b2b4c5d8d1b49aa0f62b41f2 (diff)
download: chromium_src-ae78c4e752cd14ef716c71e5334434d161cf4818.zip
chromium_src-ae78c4e752cd14ef716c71e5334434d161cf4818.tar.gz
chromium_src-ae78c4e752cd14ef716c71e5334434d161cf4818.tar.bz2
2 files changed, 22 insertions, 26 deletions
diff --git a/content/child/child_shared_bitmap_manager.cc b/content/child/child_shared_bitmap_manager.cc
index 904dc45..41c2261 100644
--- a/content/child/child_shared_bitmap_manager.cc
+++ b/content/child/child_shared_bitmap_manager.cc
@@ -10,9 +10,27 @@
 
 namespace content {
 
+namespace {
+
+void FreeSharedMemory(scoped_refptr<ThreadSafeSender> sender,
+                      cc::SharedBitmap* bitmap) {
+  TRACE_EVENT0("renderer", "ChildSharedBitmapManager::FreeSharedMemory");
+  sender->Send(new ChildProcessHostMsg_DeletedSharedBitmap(bitmap->id()));
+  delete bitmap->memory();
+}
+
+void ReleaseSharedBitmap(scoped_refptr<ThreadSafeSender> sender,
+                         cc::SharedBitmap* handle) {
+  TRACE_EVENT0("renderer", "ChildSharedBitmapManager::ReleaseSharedBitmap");
+  sender->Send(new ChildProcessHostMsg_DeletedSharedBitmap(handle->id()));
+}
+
+}  // namespace
+
 ChildSharedBitmapManager::ChildSharedBitmapManager(
     scoped_refptr<ThreadSafeSender> sender)
-    : sender_(sender) {}
+    : sender_(sender) {
+}
 
 ChildSharedBitmapManager::~ChildSharedBitmapManager() {}
 
@@ -42,13 +60,8 @@ scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::AllocateSharedBitmap(
   sender_->Send(new ChildProcessHostMsg_AllocatedSharedBitmap(
       memory_size, handle_to_send, id));
 #endif
-  // The compositor owning the SharedBitmap will be closed before the
-  // ChildThread containng this, making the use of base::Unretained safe.
   return scoped_ptr<cc::SharedBitmap>(new cc::SharedBitmap(
-      memory.release(),
-      id,
-      base::Bind(&ChildSharedBitmapManager::FreeSharedMemory,
-                 base::Unretained(this))));
+      memory.release(), id, base::Bind(&FreeSharedMemory, sender_)));
 }
 
 scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::GetSharedBitmapFromId(
@@ -70,22 +83,8 @@ scoped_ptr<cc::SharedBitmap> ChildSharedBitmapManager::GetBitmapForSharedMemory(
       mem->mapped_size(), handle_to_send, id));
   // The compositor owning the SharedBitmap will be closed before the
   // ChildThread containng this, making the use of base::Unretained safe.
-  return scoped_ptr<cc::SharedBitmap>(new cc::SharedBitmap(
-      mem,
-      id,
-      base::Bind(&ChildSharedBitmapManager::ReleaseSharedBitmap,
-                 base::Unretained(this))));
-}
-
-void ChildSharedBitmapManager::FreeSharedMemory(cc::SharedBitmap* bitmap) {
-  TRACE_EVENT0("renderer", "ChildSharedBitmapManager::FreeSharedMemory");
-  sender_->Send(new ChildProcessHostMsg_DeletedSharedBitmap(bitmap->id()));
-  delete bitmap->memory();
-}
-
-void ChildSharedBitmapManager::ReleaseSharedBitmap(cc::SharedBitmap* handle) {
-  TRACE_EVENT0("renderer", "ChildSharedBitmapManager::ReleaseSharedBitmap");
-  sender_->Send(new ChildProcessHostMsg_DeletedSharedBitmap(handle->id()));
+  return scoped_ptr<cc::SharedBitmap>(
+      new cc::SharedBitmap(mem, id, base::Bind(&ReleaseSharedBitmap, sender_)));
 }
 
 }  // namespace content
diff --git a/content/child/child_shared_bitmap_manager.h b/content/child/child_shared_bitmap_manager.h
index 1e54466..d83856b 100644
--- a/content/child/child_shared_bitmap_manager.h
+++ b/content/child/child_shared_bitmap_manager.h
@@ -27,9 +27,6 @@ class ChildSharedBitmapManager : public cc::SharedBitmapManager {
       base::SharedMemory* mem) OVERRIDE;
 
  private:
-  void FreeSharedMemory(cc::SharedBitmap* bitmap);
-  void ReleaseSharedBitmap(cc::SharedBitmap*);
-
   scoped_refptr<ThreadSafeSender> sender_;
 
   DISALLOW_COPY_AND_ASSIGN(ChildSharedBitmapManager);
author	jbauman@chromium.org <jbauman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-07-14 22:06:23 +0000
committer	jbauman@chromium.org <jbauman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-07-14 22:06:23 +0000
commit	ae78c4e752cd14ef716c71e5334434d161cf4818 (patch)
tree	58ba5388669fc49d2297b422fa506e4887e91460
parent	ce290bc26b9e9f05b2b4c5d8d1b49aa0f62b41f2 (diff)
download	chromium_src-ae78c4e752cd14ef716c71e5334434d161cf4818.zip chromium_src-ae78c4e752cd14ef716c71e5334434d161cf4818.tar.gz chromium_src-ae78c4e752cd14ef716c71e5334434d161cf4818.tar.bz2