Fix a crash in ChromeFrame which would occur if we clicked both mouse buttons on a link.

The right click would run the TrackPopupMenuEx API which runs a system modal loop and the left click
would cause the current document to be destroyed causing a crash on return while accessing member
variables on a destroyed object.

Fix is to grab a reference on the current active document while handling the context menu event to protect
against us getting destroyed in the context of the TrackPopupMenuEx call.

We also need to NULL check the automation_client_ member in ChromeFramePlugin as this could be detached
from the existing active document and attached to the new active document instance which comes up to
handle the link navigation.

Fixes bug http://code.google.com/p/chromium/issues/detail?id=37220

Bug=37220

Review URL: http://codereview.chromium.org/664009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40547 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 0 deletions

diff --git a/chrome_frame/chrome_frame_activex_base.h b/chrome_frame/chrome_frame_activex_base.h
index 487a3f6..4fe5e04 100644
--- a/chrome_frame/chrome_frame_activex_base.h
+++ b/chrome_frame/chrome_frame_activex_base.h
@@ -546,6 +546,14 @@ END_MSG_MAP()
     OnOpenURL(tab_handle, GURL(url), GURL(), disposition);
   }
 
+  virtual void OnHandleContextMenu(int tab_handle, HANDLE menu_handle,
+                                   int align_flags,
+                                   const IPC::ContextMenuParams& params) {
+    scoped_refptr<Base> ref(this);
+    ChromeFramePlugin<T>::OnHandleContextMenu(tab_handle, menu_handle,
+                                              align_flags, params);
+  }
+
   LRESULT OnCreate(UINT message, WPARAM wparam, LPARAM lparam,
                    BOOL& handled) {  // NO_LINT
     ModifyStyle(0, WS_CLIPCHILDREN | WS_CLIPSIBLINGS, 0);