diff options
| author | jeremy@chromium.org <jeremy@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-25 09:14:11 +0000 |
|---|---|---|
| committer | jeremy@chromium.org <jeremy@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-25 09:14:11 +0000 |
| commit | 164363ea9e45860ae7a3181ce68e4d3727623c0f (patch) | |
| tree | 2c0452e4664caced0a9ed400243b3ddf8276f41c /chrome/browser/cocoa | |
| parent | 109fe8709c67f28929e30a05393c233dc41c3c35 (diff) | |
| download | chromium_src-164363ea9e45860ae7a3181ce68e4d3727623c0f.zip chromium_src-164363ea9e45860ae7a3181ce68e4d3727623c0f.tar.gz chromium_src-164363ea9e45860ae7a3181ce68e4d3727623c0f.tar.bz2 | |
Mac: Fix use-after-free in translate infobar options menu.
The "About Translate" command opens a new tab which closes the infobar, we where trying to update the options menu which acccessed an already released object.
The fix is to match Windows behavior and only rebuild the options menu when clicked.
Thanks to Rohit for diagnosing the problem!
BUG=42030
TEST=repro in bug description.
Review URL: http://codereview.chromium.org/1756006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45553 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/cocoa')
| -rw-r--r-- | chrome/browser/cocoa/translate_infobar.mm | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/chrome/browser/cocoa/translate_infobar.mm b/chrome/browser/cocoa/translate_infobar.mm index d4df101..c6e0ae3 100644 --- a/chrome/browser/cocoa/translate_infobar.mm +++ b/chrome/browser/cocoa/translate_infobar.mm @@ -261,9 +261,6 @@ class TranslateNotificationObserverBridge : } - (void)languageModified { - // If necessary, update state and translate. - [self rebuildOptionsMenu]; - // Selecting an item from the "from language" menu in the before translate // phase shouldn't trigger translation - http://crbug.com/36666 TranslateInfoBarDelegate* delegate = [self delegate]; @@ -574,6 +571,10 @@ class TranslateNotificationObserverBridge : // Instantiate additional controls. [self constructViews]; + // Set ourselves as the delegate for the options menu so we can populate it + // dynamically. + [[optionsPopUp_ menu] setDelegate:self]; + // Replace label_ with label1_ so we get a consistent look between all the // labels we display in the translate view. [[label_ superview] replaceSubview:label_ with:label1_.get()]; @@ -653,15 +654,22 @@ class TranslateNotificationObserverBridge : - (void)menuItemSelected:(id)item { if ([item respondsToSelector:@selector(tag)]) { int cmd = [item tag]; + // Danger Will Robinson! : This call can release the infobar (e.g. invoking + // "About Translate" can open a new tab). + // Do not access member variables after this line! menu_model_->ExecuteCommand(cmd); - - // The command many change the state of the options menu items. - [self rebuildOptionsMenu]; } else { NOTREACHED(); } } +#pragma mark NSMenuDelegate + +// Invoked by virtue of us being set as the delegate for the options menu. +- (void)menuNeedsUpdate:(NSMenu *)menu { + [self rebuildOptionsMenu]; +} + #pragma mark TestingAPI - (NSMenu*)optionsMenu { return [optionsPopUp_ menu]; |