diff options
| author | epenner@chromium.org <epenner@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-04-23 02:12:02 +0000 |
|---|---|---|
| committer | epenner@chromium.org <epenner@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-04-23 02:12:02 +0000 |
| commit | 2462b7f03c2f88b2d5c278be0d755eaac824a635 (patch) | |
| tree | 19f3d0583f44a99d1f0fcecb6da2fc8709ff1568 /content | |
| parent | eecfd9fc99d61d45cb794606a90c9a90d158ada1 (diff) | |
| download | chromium_src-2462b7f03c2f88b2d5c278be0d755eaac824a635.zip chromium_src-2462b7f03c2f88b2d5c278be0d755eaac824a635.tar.gz chromium_src-2462b7f03c2f88b2d5c278be0d755eaac824a635.tar.bz2 | |
CC: Avoid use-after free when accessing sync_message_filter
The SyncMessageFilter is accessed from ChildThread. This keeps a reference instead so we don't risk use-after-free while accessing it.
BUG=232981
NOTRY=true
No try since win-aura and mac-asan failures are unrelated.
Review URL: https://chromiumcodereview.appspot.com/14057023
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@195689 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content')
| -rw-r--r-- | content/renderer/gpu/compositor_output_surface.cc | 5 | ||||
| -rw-r--r-- | content/renderer/gpu/compositor_output_surface.h | 2 |
2 files changed, 5 insertions, 2 deletions
diff --git a/content/renderer/gpu/compositor_output_surface.cc b/content/renderer/gpu/compositor_output_surface.cc index 10bbd1f..8d24043 100644 --- a/content/renderer/gpu/compositor_output_surface.cc +++ b/content/renderer/gpu/compositor_output_surface.cc @@ -16,7 +16,6 @@ #include "content/renderer/render_thread_impl.h" #include "ipc/ipc_forwarding_message_filter.h" #include "ipc/ipc_sync_channel.h" -#include "ipc/ipc_sync_message_filter.h" #include "third_party/WebKit/Source/Platform/chromium/public/WebGraphicsContext3D.h" #if defined(OS_ANDROID) @@ -69,6 +68,8 @@ CompositorOutputSurface::CompositorOutputSurface( capabilities_.has_parent_compositor = command_line->HasSwitch( switches::kEnableDelegatedRenderer); DetachFromThread(); + message_sender_ = RenderThreadImpl::current()->sync_message_filter(); + DCHECK(message_sender_); } CompositorOutputSurface::~CompositorOutputSurface() { @@ -163,7 +164,7 @@ void CompositorOutputSurface::OnSwapAck(const cc::CompositorFrameAck& ack) { } bool CompositorOutputSurface::Send(IPC::Message* message) { - return ChildThread::current()->sync_message_filter()->Send(message); + return message_sender_->Send(message); } namespace { diff --git a/content/renderer/gpu/compositor_output_surface.h b/content/renderer/gpu/compositor_output_surface.h index 9faa373..e62990c 100644 --- a/content/renderer/gpu/compositor_output_surface.h +++ b/content/renderer/gpu/compositor_output_surface.h @@ -13,6 +13,7 @@ #include "base/threading/platform_thread.h" #include "base/time.h" #include "cc/output/output_surface.h" +#include "ipc/ipc_sync_message_filter.h" namespace base { class TaskRunner; @@ -93,6 +94,7 @@ class CompositorOutputSurface scoped_refptr<IPC::ForwardingMessageFilter> output_surface_filter_; scoped_refptr<CompositorOutputSurfaceProxy> output_surface_proxy_; + scoped_refptr<IPC::SyncMessageFilter> message_sender_; int routing_id_; bool prefers_smoothness_; base::PlatformThreadId main_thread_id_; |