diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-03 22:11:19 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-03 22:11:19 +0000 |
| commit | 045229a7b8efe2d5fde3aa032805aa8c9268c8ba (patch) | |
| tree | 53467d6617e1f3ea79c05cb3f50ac293c05a1b79 /chrome_frame | |
| parent | 32da100526eadc7d8f2d97753a48f5917bb17c66 (diff) | |
| download | chromium_src-045229a7b8efe2d5fde3aa032805aa8c9268c8ba.zip chromium_src-045229a7b8efe2d5fde3aa032805aa8c9268c8ba.tar.gz chromium_src-045229a7b8efe2d5fde3aa032805aa8c9268c8ba.tar.bz2 | |
Fix a crash in ChromeFrame which would occur if we clicked both mouse buttons on a link.
The right click would run the TrackPopupMenuEx API which runs a system modal loop and the left click
would cause the current document to be destroyed causing a crash on return while accessing member
variables on a destroyed object.
Fix is to grab a reference on the current active document while handling the context menu event to protect
against us getting destroyed in the context of the TrackPopupMenuEx call.
We also need to NULL check the automation_client_ member in ChromeFramePlugin as this could be detached
from the existing active document and attached to the new active document instance which comes up to
handle the link navigation.
Fixes bug http://code.google.com/p/chromium/issues/detail?id=37220
Bug=37220
Review URL: http://codereview.chromium.org/664009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40547 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome_frame')
| -rw-r--r-- | chrome_frame/chrome_frame_activex_base.h | 8 | ||||
| -rw-r--r-- | chrome_frame/chrome_frame_plugin.h | 29 |
2 files changed, 25 insertions, 12 deletions
diff --git a/chrome_frame/chrome_frame_activex_base.h b/chrome_frame/chrome_frame_activex_base.h index 487a3f6..4fe5e04 100644 --- a/chrome_frame/chrome_frame_activex_base.h +++ b/chrome_frame/chrome_frame_activex_base.h @@ -546,6 +546,14 @@ END_MSG_MAP() OnOpenURL(tab_handle, GURL(url), GURL(), disposition); } + virtual void OnHandleContextMenu(int tab_handle, HANDLE menu_handle, + int align_flags, + const IPC::ContextMenuParams& params) { + scoped_refptr<Base> ref(this); + ChromeFramePlugin<T>::OnHandleContextMenu(tab_handle, menu_handle, + align_flags, params); + } + LRESULT OnCreate(UINT message, WPARAM wparam, LPARAM lparam, BOOL& handled) { // NO_LINT ModifyStyle(0, WS_CLIPCHILDREN | WS_CLIPSIBLINGS, 0); diff --git a/chrome_frame/chrome_frame_plugin.h b/chrome_frame/chrome_frame_plugin.h index be85e26..078a611 100644 --- a/chrome_frame/chrome_frame_plugin.h +++ b/chrome_frame/chrome_frame_plugin.h @@ -25,7 +25,7 @@ class ChromeFramePlugin : public ChromeFrameDelegateImpl { Uninitialize(); } -BEGIN_MSG_MAP(ChromeFrameActivex) +BEGIN_MSG_MAP(T) MESSAGE_HANDLER(WM_SETFOCUS, OnSetFocus) MESSAGE_HANDLER(WM_SIZE, OnSize) MESSAGE_HANDLER(WM_PARENTNOTIFY, OnParentNotify) @@ -43,7 +43,7 @@ END_MSG_MAP() } void Uninitialize() { - if (automation_client_.get()) { + if (IsValid()) { automation_client_->Uninitialize(); automation_client_ = NULL; } @@ -52,6 +52,7 @@ END_MSG_MAP() bool InitializeAutomation(const std::wstring& profile_name, const std::wstring& extra_chrome_arguments, bool incognito) { + DCHECK(IsValid()); // We don't want to do incognito when privileged, since we're // running in browser chrome or some other privileged context. bool incognito_mode = !is_privileged_ && incognito; @@ -78,7 +79,7 @@ END_MSG_MAP() virtual void OnAutomationServerReady() { // Issue the extension automation request if we're privileged to // allow this control to handle extension requests from Chrome. - if (is_privileged_) + if (is_privileged_ && IsValid()) automation_client_->SetEnableExtensionAutomation(functions_enabled_); } @@ -87,7 +88,8 @@ END_MSG_MAP() } virtual void OnHostMoved() { - automation_client_->OnChromeFrameHostMoved(); + if (IsValid()) + automation_client_->OnChromeFrameHostMoved(); } protected: @@ -123,7 +125,8 @@ END_MSG_MAP() params.screen_y, GetWindow(), NULL); // Menu is over now give focus back to chrome GiveFocusToChrome(); - if (selected != 0 && !self->HandleContextMenuCommand(selected, params)) { + if (IsValid() && selected != 0 && + !self->HandleContextMenuCommand(selected, params)) { automation_client_->SendContextMenuCommandToChromeFrame(selected); } } @@ -133,7 +136,7 @@ END_MSG_MAP() LRESULT OnSetFocus(UINT message, WPARAM wparam, LPARAM lparam, BOOL& handled) { // NO_LINT - if (!ignore_setfocus_ && automation_client_ != NULL) { + if (!ignore_setfocus_ && IsValid()) { GiveFocusToChrome(); } return 0; @@ -143,7 +146,7 @@ END_MSG_MAP() BOOL& handled) { // NO_LINT handled = FALSE; // When we get resized, we need to resize the external tab window too. - if (automation_client_.get()) + if (IsValid()) automation_client_->Resize(LOWORD(lparam), HIWORD(lparam), SWP_NOACTIVATE | SWP_NOZORDER); return 0; @@ -197,11 +200,13 @@ END_MSG_MAP() } void GiveFocusToChrome() { - TabProxy* tab = automation_client_->tab(); - HWND chrome_window = automation_client_->tab_window(); - if (tab && ::IsWindow(chrome_window)) { - DLOG(INFO) << "Setting initial focus"; - tab->SetInitialFocus(win_util::IsShiftPressed()); + if (IsValid()) { + TabProxy* tab = automation_client_->tab(); + HWND chrome_window = automation_client_->tab_window(); + if (tab && ::IsWindow(chrome_window)) { + DLOG(INFO) << "Setting initial focus"; + tab->SetInitialFocus(win_util::IsShiftPressed()); + } } } |