Fix a crash in ChromeFrame in our IBindStatusCallback wrapper which attempts to cache the data received

in the OnDataAvailable notification. The crash occurs because we receive a STGMEDIUM structure indicating
that the medium type is a file and we attempt to dereference it as a stream.

Fix is to call the original delegate and bail if we receive anything but a stream.

This fixes bug http://code.google.com/p/chromium/issues/detail?id=40152

Bug=40152

Review URL: http://codereview.chromium.org/1576014

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43418 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 9 insertions, 2 deletions

diff --git a/chrome_frame/urlmon_bind_status_callback.cc b/chrome_frame/urlmon_bind_status_callback.cc
index d7608ce..2b322362 100644
--- a/chrome_frame/urlmon_bind_status_callback.cc
+++ b/chrome_frame/urlmon_bind_status_callback.cc
@@ -173,8 +173,15 @@ HRESULT CFUrlmonBindStatusCallback::OnDataAvailable(DWORD bscf, DWORD size,
       << StringPrintf(" tid=%i original fmt=%ls",
                       PlatformThread::CurrentId(), clip_fmt_name);
 
-  DCHECK(stgmed);
-  DCHECK(stgmed->tymed == TYMED_ISTREAM);
+  if (!stgmed) {
+    NOTREACHED() << "Invalid STGMEDIUM received";
+    return delegate_->OnDataAvailable(bscf, size, format_etc, stgmed);
+  }
+
+  if (stgmed->tymed != TYMED_ISTREAM) {
+    DLOG(INFO) << "Not handling medium:" << stgmed->tymed;
+    return delegate_->OnDataAvailable(bscf, size, format_etc, stgmed);
+  }
 
   if (bscf & BSCF_FIRSTDATANOTIFICATION) {
     DLOG(INFO) << "first data notification";