Add defensive code in pickle to preclude realloc of shared header_ memory.

Since I was able to (some how) generate a problem with header_ being
double freed (perhaps, because it was shared in some way??), this change
adds several lines of defensive coding.  The current assignment operator
appears very dangerous, as it allowed Resize to be called when the header_
was not owned by the instance (it was read-only).  I haven't found a path
to cause a problem, but we may as well be defensive.

BUG=17027
BUG=17088
r=CPU
Review URL: http://codereview.chromium.org/160490

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22261 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 7 insertions, 2 deletions

diff --git a/base/pickle.cc b/base/pickle.cc
index e491832..31bf5b7 100644
--- a/base/pickle.cc
+++ b/base/pickle.cc
@@ -65,12 +65,16 @@ Pickle::~Pickle() {
 }
 
 Pickle& Pickle::operator=(const Pickle& other) {
-  if (header_size_ != other.header_size_ && capacity_ != kCapacityReadOnly) {
+  if (capacity_ == kCapacityReadOnly) {
+    header_ = NULL;
+    capacity_ = 0;
+  }
+  if (header_size_ != other.header_size_) {
     free(header_);
     header_ = NULL;
     header_size_ = other.header_size_;
   }
-  bool resized = Resize(other.header_size_ + other.header_->payload_size);
+  bool resized = Resize(header_size_ + other.header_->payload_size);
   CHECK(resized);  // Realloc failed.
   memcpy(header_, other.header_, header_size_ + other.header_->payload_size);
   variable_buffer_offset_ = other.variable_buffer_offset_;
@@ -365,6 +369,7 @@ void Pickle::TrimWriteData(int new_length) {
 bool Pickle::Resize(size_t new_capacity) {
   new_capacity = AlignInt(new_capacity, kPayloadUnit);
 
+  CHECK(capacity_ != kCapacityReadOnly);
   void* p = realloc(header_, new_capacity);
   if (!p)
     return false;