Fix a ChromeFrame crash in the bind status callback which occurs due to a NULL delegate pointer

being dereferenced. It appears that there are cases where the IMoniker::BindToObject function
is called with a bind context without a registered callback. In this case we should not do anything.

Fix is to revoke our callback if we don't find a previous callback.

This fixes bug http://code.google.com/p/chromium/issues/detail?id=40153

Bug=40153

Review URL: http://codereview.chromium.org/1589010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43455 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 1 deletions

diff --git a/chrome_frame/urlmon_bind_status_callback.cc b/chrome_frame/urlmon_bind_status_callback.cc
index 2b322362..ec51c57 100644
--- a/chrome_frame/urlmon_bind_status_callback.cc
+++ b/chrome_frame/urlmon_bind_status_callback.cc
@@ -46,7 +46,9 @@ HRESULT CFUrlmonBindStatusCallback::Initialize(IBindCtx* bind_ctx,
   HRESULT hr = ::RegisterBindStatusCallback(bind_ctx, this,
                                             delegate_.Receive(), 0);
   if (!delegate_) {
-    NOTREACHED();
+    NOTREACHED() << "Failed to find registered bind status callback";
+    ::RevokeBindStatusCallback(bind_ctx_, this);
+    bind_ctx_.Release();
     hr = E_UNEXPECTED;
   }