diff options
| author | Ilya Sherman <isherman@chromium.org> | 2015-03-11 14:29:54 -0700 |
|---|---|---|
| committer | Ilya Sherman <isherman@chromium.org> | 2015-03-11 21:31:28 +0000 |
| commit | c72c5e79e14186e79b0d1c3dee986d1fb198f083 (patch) | |
| tree | 95f02645883025c2bb1b650e7e557275790217a4 | |
| parent | b9b198c52d3b94c538ce126b9d1c5f3e76c011a1 (diff) | |
| download | chromium_src-c72c5e79e14186e79b0d1c3dee986d1fb198f083.zip chromium_src-c72c5e79e14186e79b0d1c3dee986d1fb198f083.tar.gz chromium_src-c72c5e79e14186e79b0d1c3dee986d1fb198f083.tar.bz2 | |
[Merge] Fix a null-pointer dereference in ChromeOS Bluetooth code.
The code had undefined behavior, depending on what order the compiler chose to evaluate the arguments in. Specifically, the call to RegisterProfile() required evaluation of two arguments: |profile->object_path()| and |base::Bind(success_callback, base::Passed(&profile))|. If the latter was evaluated first, then |profile| would be null by the time that the prior was evaluated.
The crash stack is:
Program received signal SIGSEGV, Segmentation fault.
std::string::compare() const ()
StartsWithASCII()
dbus::IsValidObjectPath()
dbus::MessageWriter::AppendObjectPath()
chromeos::BluetoothProfileManagerClientImpl::RegisterProfile()
chromeos::BluetoothAdapterProfileChromeOS::Register()
chromeos::BluetoothAdapterChromeOS::UseProfile()
chromeos::BluetoothSocketChromeOS::RegisterProfile()
BUG=457978
TEST=(see bug, comment #14)
TBR=armansito@chromium.org, jamuraa@chromium.org
Review URL: https://codereview.chromium.org/997023002
Cr-Commit-Position: refs/heads/master@{#320139}
(cherry picked from commit 847466627013483020c6683c303752b6fab97b97)
Review URL: https://codereview.chromium.org/997963003
Cr-Commit-Position: refs/branch-heads/2311@{#214}
Cr-Branched-From: 09b7de5dd7254947cd4306de907274fa63373d48-refs/heads/master@{#317474}
| -rw-r--r-- | device/bluetooth/bluetooth_adapter_profile_chromeos.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/device/bluetooth/bluetooth_adapter_profile_chromeos.cc b/device/bluetooth/bluetooth_adapter_profile_chromeos.cc index f800304..207c55c4 100644 --- a/device/bluetooth/bluetooth_adapter_profile_chromeos.cc +++ b/device/bluetooth/bluetooth_adapter_profile_chromeos.cc @@ -28,8 +28,9 @@ void BluetoothAdapterProfileChromeOS::Register( new BluetoothAdapterProfileChromeOS(uuid)); VLOG(1) << "Registering profile: " << profile->object_path().value(); + const dbus::ObjectPath& object_path = profile->object_path(); DBusThreadManager::Get()->GetBluetoothProfileManagerClient()->RegisterProfile( - profile->object_path(), + object_path, uuid.canonical_value(), options, base::Bind(success_callback, base::Passed(&profile)), |