Copy buffers in base::FileUtilProxy::{Read,Write} to avoid memory corruption.

If caller has called PPB_FileIO_Impl::Close() while a read or write operation is in flight, and deletes the read or write buffer, we now avoid corrupting memory. For Write, FileUtilProxy::Write simply copies the input buffer before passing control to the FILE thread. For Read, the caller no longer passes a buffer; instead, they are passed a const char* in the ReadCallback. One caller of FileUtilProxy::Read outside of PPAPI was also updated. BUG=70285 R=darin Patch by Adam Klein (adamk@chromium.org) Originally reviewed at http://codereview.chromium.org/6312040/ Review URL: http://codereview.chromium.org/6349090 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@73714 0039d316-1c4b-4281-b951-d872f2087c98
author: darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-02-04 00:39:34 +0000
committer: darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-02-04 00:39:34 +0000
commit: 55181778eaf298eb2035f64d20a7ebe4e447a75e (patch)
tree: 691b9d2524539f3818f93c91db601a73632fa513 /base/file_util_proxy.cc
parent: 0e3ff908d6a65ea0e86ebf6a0093d2f12f16034d (diff)
download: chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.zip
chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.tar.gz
chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.tar.bz2
1 files changed, 15 insertions, 16 deletions
diff --git a/base/file_util_proxy.cc b/base/file_util_proxy.cc
index b4d0d54..d357e98 100644
--- a/base/file_util_proxy.cc
+++ b/base/file_util_proxy.cc
@@ -525,12 +525,11 @@ class RelayRead : public MessageLoopRelay {
  public:
   RelayRead(base::PlatformFile file,
             int64 offset,
-            char* buffer,
             int bytes_to_read,
-            base::FileUtilProxy::ReadWriteCallback* callback)
+            base::FileUtilProxy::ReadCallback* callback)
       : file_(file),
         offset_(offset),
-        buffer_(buffer),
+        buffer_(new char[bytes_to_read]),
         bytes_to_read_(bytes_to_read),
         callback_(callback),
         bytes_read_(0) {
@@ -538,7 +537,7 @@ class RelayRead : public MessageLoopRelay {
 
  protected:
   virtual void RunWork() {
-    bytes_read_ = base::ReadPlatformFile(file_, offset_, buffer_,
+    bytes_read_ = base::ReadPlatformFile(file_, offset_, buffer_.get(),
                                          bytes_to_read_);
     if (bytes_read_ < 0)
       set_error_code(base::PLATFORM_FILE_ERROR_FAILED);
@@ -546,7 +545,7 @@ class RelayRead : public MessageLoopRelay {
 
   virtual void RunCallback() {
     if (callback_) {
-      callback_->Run(error_code(), bytes_read_);
+      callback_->Run(error_code(), buffer_.get(), bytes_read_);
       delete callback_;
     }
   }
@@ -554,9 +553,9 @@ class RelayRead : public MessageLoopRelay {
  private:
   base::PlatformFile file_;
   int64 offset_;
-  char* buffer_;
+  scoped_array<char> buffer_;
   int bytes_to_read_;
-  base::FileUtilProxy::ReadWriteCallback* callback_;
+  base::FileUtilProxy::ReadCallback* callback_;
   int bytes_read_;
 };
 
@@ -566,17 +565,18 @@ class RelayWrite : public MessageLoopRelay {
              int64 offset,
              const char* buffer,
              int bytes_to_write,
-             base::FileUtilProxy::ReadWriteCallback* callback)
+             base::FileUtilProxy::WriteCallback* callback)
       : file_(file),
         offset_(offset),
-        buffer_(buffer),
+        buffer_(new char[bytes_to_write]),
         bytes_to_write_(bytes_to_write),
         callback_(callback) {
+    memcpy(buffer_.get(), buffer, bytes_to_write);
   }
 
  protected:
   virtual void RunWork() {
-    bytes_written_ = base::WritePlatformFile(file_, offset_, buffer_,
+    bytes_written_ = base::WritePlatformFile(file_, offset_, buffer_.get(),
                                              bytes_to_write_);
     if (bytes_written_ < 0)
       set_error_code(base::PLATFORM_FILE_ERROR_FAILED);
@@ -592,9 +592,9 @@ class RelayWrite : public MessageLoopRelay {
  private:
   base::PlatformFile file_;
   int64 offset_;
-  const char* buffer_;
+  scoped_array<char> buffer_;
   int bytes_to_write_;
-  base::FileUtilProxy::ReadWriteCallback* callback_;
+  base::FileUtilProxy::WriteCallback* callback_;
   int bytes_written_;
 };
 
@@ -843,11 +843,10 @@ bool FileUtilProxy::Read(
     scoped_refptr<MessageLoopProxy> message_loop_proxy,
     PlatformFile file,
     int64 offset,
-    char* buffer,
     int bytes_to_read,
-    ReadWriteCallback* callback) {
+    ReadCallback* callback) {
   return Start(FROM_HERE, message_loop_proxy,
-               new RelayRead(file, offset, buffer, bytes_to_read, callback));
+               new RelayRead(file, offset, bytes_to_read, callback));
 }
 
 // static
@@ -857,7 +856,7 @@ bool FileUtilProxy::Write(
     int64 offset,
     const char* buffer,
     int bytes_to_write,
-    ReadWriteCallback* callback) {
+    WriteCallback* callback) {
   return Start(FROM_HERE, message_loop_proxy,
                new RelayWrite(file, offset, buffer, bytes_to_write, callback));
 }
author	darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-02-04 00:39:34 +0000
committer	darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-02-04 00:39:34 +0000
commit	55181778eaf298eb2035f64d20a7ebe4e447a75e (patch)
tree	691b9d2524539f3818f93c91db601a73632fa513 /base/file_util_proxy.cc
parent	0e3ff908d6a65ea0e86ebf6a0093d2f12f16034d (diff)
download	chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.zip chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.tar.gz chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.tar.bz2