Merge: Prevent UAF of RenderFrames from GuestViewContainer

Current the RenderFrame a GuestViewContainer is associated with can be accessed even after it is destroyed. We should track the destruction with a RenderFrameObserver and avoid accesses in that case. BUG=449574 Committed: https://crrev.com/4d29dd615212c539463a4e4a02188aa34d06e96f Cr-Commit-Position: refs/heads/master@{#312143} Review URL: https://codereview.chromium.org/822483007 Cr-Commit-Position: refs/heads/master@{#312216} (cherry picked from commit 569ce1bcb696473c117b8afdc15871183c0052ef) TBR=raymes@chromium.org Review URL: https://codereview.chromium.org/876983002 Cr-Commit-Position: refs/branch-heads/2272@{#124} Cr-Branched-From: 827a380cfdb31aa54c8d56e63ce2c3fd8c3ba4d4-refs/heads/master@{#310958}
author: Raymes Khoury <raymes@chromium.org> 2015-01-27 13:00:11 +1100
committer: Raymes Khoury <raymes@chromium.org> 2015-01-27 02:07:04 +0000
commit: 70b5863decfedcf93d371c1c67ba1edf9b482a51 (patch)
tree: 82b5fe3e6f0f17b87fe4d2af8ba27d9f86ec34dc /extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc
parent: c3ef7fc8833a675d999002bb2b64cd2882a2113b (diff)
download: chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.zip
chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.tar.gz
chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.tar.bz2
1 files changed, 11 insertions, 0 deletions
diff --git a/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc b/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc
index 85f6930..4ae5060 100644
--- a/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc
+++ b/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc
@@ -195,6 +195,10 @@ void MimeHandlerViewContainer::OnCreateMimeHandlerViewGuestACK(
     int element_instance_id) {
   DCHECK_NE(this->element_instance_id(), guestview::kInstanceIDNone);
   DCHECK_EQ(this->element_instance_id(), element_instance_id);
+
+  if (!render_frame())
+    return;
+
   render_frame()->AttachGuest(element_instance_id);
 }
 
@@ -207,6 +211,9 @@ void MimeHandlerViewContainer::OnGuestAttached(int /* unused */,
 
 void MimeHandlerViewContainer::OnMimeHandlerViewGuestOnLoadCompleted(
     int /* unused */) {
+  if (!render_frame())
+    return;
+
   guest_loaded_ = true;
   if (pending_messages_.empty())
     return;
@@ -234,6 +241,10 @@ void MimeHandlerViewContainer::CreateMimeHandlerViewGuest() {
   DCHECK(!stream_url.spec().empty());
 
   DCHECK_NE(element_instance_id(), guestview::kInstanceIDNone);
+
+  if (!render_frame())
+    return;
+
   render_frame()->Send(new ExtensionHostMsg_CreateMimeHandlerViewGuest(
       render_frame()->GetRoutingID(), stream_url.spec(), original_url_.spec(),
       mime_type_, element_instance_id()));
author	Raymes Khoury <raymes@chromium.org>	2015-01-27 13:00:11 +1100
committer	Raymes Khoury <raymes@chromium.org>	2015-01-27 02:07:04 +0000
commit	70b5863decfedcf93d371c1c67ba1edf9b482a51 (patch)
tree	82b5fe3e6f0f17b87fe4d2af8ba27d9f86ec34dc /extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc
parent	c3ef7fc8833a675d999002bb2b64cd2882a2113b (diff)
download	chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.zip chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.tar.gz chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.tar.bz2