diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-28 17:59:33 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-28 17:59:33 +0000 |
| commit | 1cf63017bf8c8923b2989dbcb8e5967d69159795 (patch) | |
| tree | e0df9ca09b53b4bd23a8024fba934ca8284babe1 /chrome_frame/chrome_frame_activex_base.h | |
| parent | 2a3a06654561be5d0a871c950e7a791bea57bb75 (diff) | |
| download | chromium_src-1cf63017bf8c8923b2989dbcb8e5967d69159795.zip chromium_src-1cf63017bf8c8923b2989dbcb8e5967d69159795.tar.gz chromium_src-1cf63017bf8c8923b2989dbcb8e5967d69159795.tar.bz2 | |
Fix a ChromeFrame crash reported on the crash server while processing an accelerator message. The crash happens while invoking the
IBrowserService2::v_MayTranslateAccelerator function. It appears from the dump that there are cases in IE8 where this interface
is actually implemented, but this function entry is NULL in the vtable. In any case from the comments in the code this interface
is only implemented till IE7.
Fixes bug http://code.google.com/p/chromium/issues/detail?id=25457
Bug=25457
Review URL: http://codereview.chromium.org/1718019
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45831 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome_frame/chrome_frame_activex_base.h')
| -rw-r--r-- | chrome_frame/chrome_frame_activex_base.h | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/chrome_frame/chrome_frame_activex_base.h b/chrome_frame/chrome_frame_activex_base.h index 30d67de..fee5ba2 100644 --- a/chrome_frame/chrome_frame_activex_base.h +++ b/chrome_frame/chrome_frame_activex_base.h @@ -914,6 +914,7 @@ END_MSG_MAP() // sent to the out of proc chromium instance. // Returns S_OK iff the accelerator was handled by the browser. HRESULT AllowFrameToTranslateAccelerator(const MSG& msg) { + static const int kMayTranslateAcceleratorOffset = 0x170; // Although IBrowserService2 is officially deprecated, it's still alive // and well in IE7 and earlier. We have to use it here to correctly give // the browser a chance to handle keyboard shortcuts. @@ -925,14 +926,18 @@ END_MSG_MAP() // owned by the out-of-proc chromium instance so IE doesn't have a chance to // fall back on its default behavior. Instead we give IE a chance to // handle the shortcut here. - MSG accel_message = msg; accel_message.hwnd = ::GetParent(m_hWnd); - HRESULT hr = S_FALSE; ScopedComPtr<IBrowserService2> bs2; + // The code below explicitly checks for whether the + // IBrowserService2::v_MayTranslateAccelerator function is valid. On IE8 + // there is one vtable ieframe!c_ImpostorBrowserService2Vtbl where this + // function entry is NULL which leads to a crash. We don't know under what + // circumstances this vtable is actually used though. if (S_OK == DoQueryService(SID_STopLevelBrowser, m_spInPlaceSite, - bs2.Receive()) && bs2.get()) { + bs2.Receive()) && bs2.get() && + (bs2 + kMayTranslateAcceleratorOffset)) { hr = bs2->v_MayTranslateAccelerator(&accel_message); } else { // IE8 doesn't support IBrowserService2 unless you enable a special, |