diff options
| author | eroman@chromium.org <eroman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-26 20:39:42 +0000 |
|---|---|---|
| committer | eroman@chromium.org <eroman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-26 20:39:42 +0000 |
| commit | 5e80615a54f16a9ef0a877001cfd1ea887001ee6 (patch) | |
| tree | 18f89a7102d39e01f6c8b6b23f2bce34d9e84fc2 /content | |
| parent | b2aaed8ce0d5e41aa695703772841bf155f05701 (diff) | |
| download | chromium_src-5e80615a54f16a9ef0a877001cfd1ea887001ee6.zip chromium_src-5e80615a54f16a9ef0a877001cfd1ea887001ee6.tar.gz chromium_src-5e80615a54f16a9ef0a877001cfd1ea887001ee6.tar.bz2 | |
Prevent a NULL pointer crash in RedirectToFileResourceHandler::OnRequestClosed() if the request is closed before the temporary file is created.
BUG=79099
TEST=See http://crbug.com/79099#c4.
Review URL: http://codereview.chromium.org/6905008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@83064 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content')
| -rw-r--r-- | content/browser/renderer_host/redirect_to_file_resource_handler.cc | 24 | ||||
| -rw-r--r-- | content/browser/renderer_host/redirect_to_file_resource_handler.h | 3 |
2 files changed, 21 insertions, 6 deletions
diff --git a/content/browser/renderer_host/redirect_to_file_resource_handler.cc b/content/browser/renderer_host/redirect_to_file_resource_handler.cc index 952a896..6342cd1 100644 --- a/content/browser/renderer_host/redirect_to_file_resource_handler.cc +++ b/content/browser/renderer_host/redirect_to_file_resource_handler.cc @@ -36,7 +36,8 @@ RedirectToFileResourceHandler::RedirectToFileResourceHandler( write_cursor_(0), write_callback_(ALLOW_THIS_IN_INITIALIZER_LIST(this), &RedirectToFileResourceHandler::DidWriteToFile), - write_callback_pending_(false) { + write_callback_pending_(false), + request_was_closed_(false) { } bool RedirectToFileResourceHandler::OnUploadProgress(int request_id, @@ -139,12 +140,18 @@ bool RedirectToFileResourceHandler::OnResponseCompleted( } void RedirectToFileResourceHandler::OnRequestClosed() { - // We require this explicit call to Close since file_stream_ was constructed - // directly from a PlatformFile. - file_stream_->Close(); - file_stream_.reset(); + DCHECK(!request_was_closed_); + request_was_closed_ = true; + + // It is possible for |file_stream_| to be NULL if the request was closed + // before the temporary file creation finished. + if (file_stream_.get()) { + // We require this explicit call to Close since file_stream_ was constructed + // directly from a PlatformFile. + file_stream_->Close(); + file_stream_.reset(); + } deletable_file_ = NULL; - next_handler_->OnRequestClosed(); } @@ -156,6 +163,11 @@ void RedirectToFileResourceHandler::DidCreateTemporaryFile( base::PlatformFileError /*error_code*/, base::PassPlatformFile file_handle, FilePath file_path) { + if (request_was_closed_) { + // If the request was already closed, then don't bother allocating the + // file_stream_ (otherwise we will leak it). + return; + } deletable_file_ = DeletableFileReference::GetOrCreate( file_path, BrowserThread::GetMessageLoopProxyForThread(BrowserThread::FILE)); diff --git a/content/browser/renderer_host/redirect_to_file_resource_handler.h b/content/browser/renderer_host/redirect_to_file_resource_handler.h index cf30099..0fe2548 100644 --- a/content/browser/renderer_host/redirect_to_file_resource_handler.h +++ b/content/browser/renderer_host/redirect_to_file_resource_handler.h @@ -83,6 +83,9 @@ class RedirectToFileResourceHandler : public ResourceHandler { // a result of the download. scoped_refptr<webkit_blob::DeletableFileReference> deletable_file_; + // True if OnRequestClosed() has already been called. + bool request_was_closed_; + DISALLOW_COPY_AND_ASSIGN(RedirectToFileResourceHandler); }; |