chromium_src.git - central chromium sources

diff options

author	nasko <nasko@chromium.org>	2016-03-03 11:41:35 -0800
committer	Commit bot <commit-bot@chromium.org>	2016-03-03 19:44:59 +0000
commit	13b8e77d00895fd3d24aaef7f32eeb4adb68a080 (patch)
tree	ac6a730def53eb8e7008484baa39a2c0969bb12d /chromecast
parent	a1437c0f5983ce20e7a7e67b37cd46688f1536c0 (diff)
download	chromium_src-13b8e77d00895fd3d24aaef7f32eeb4adb68a080.zip chromium_src-13b8e77d00895fd3d24aaef7f32eeb4adb68a080.tar.gz chromium_src-13b8e77d00895fd3d24aaef7f32eeb4adb68a080.tar.bz2

Fix use-after-free when navigating a subframe to about:blank.

Navigation to about:blank is a synchronous navigation. If the parent frame has registered load event handler for the frame and removes it from the DOM, it will result in RenderFrame being deleted while still being on the stack. This CL is fixing this by returning immediately if the object is destructed as part of the navigation. BUG=571166, 591341 Review URL: https://codereview.chromium.org/1756483004 Cr-Commit-Position: refs/heads/master@{#379060}

Diffstat (limited to 'chromecast')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: