diff options
author | Raymes Khoury <raymes@chromium.org> | 2015-01-27 13:00:11 +1100 |
---|---|---|
committer | Raymes Khoury <raymes@chromium.org> | 2015-01-27 02:07:04 +0000 |
commit | 70b5863decfedcf93d371c1c67ba1edf9b482a51 (patch) | |
tree | 82b5fe3e6f0f17b87fe4d2af8ba27d9f86ec34dc /extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc | |
parent | c3ef7fc8833a675d999002bb2b64cd2882a2113b (diff) | |
download | chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.zip chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.tar.gz chromium_src-70b5863decfedcf93d371c1c67ba1edf9b482a51.tar.bz2 |
Merge: Prevent UAF of RenderFrames from GuestViewContainer
Current the RenderFrame a GuestViewContainer is associated with can be
accessed even after it is destroyed. We should track the destruction with
a RenderFrameObserver and avoid accesses in that case.
BUG=449574
Committed: https://crrev.com/4d29dd615212c539463a4e4a02188aa34d06e96f
Cr-Commit-Position: refs/heads/master@{#312143}
Review URL: https://codereview.chromium.org/822483007
Cr-Commit-Position: refs/heads/master@{#312216}
(cherry picked from commit 569ce1bcb696473c117b8afdc15871183c0052ef)
TBR=raymes@chromium.org
Review URL: https://codereview.chromium.org/876983002
Cr-Commit-Position: refs/branch-heads/2272@{#124}
Cr-Branched-From: 827a380cfdb31aa54c8d56e63ce2c3fd8c3ba4d4-refs/heads/master@{#310958}
Diffstat (limited to 'extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc')
-rw-r--r-- | extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc b/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc index 85f6930..4ae5060 100644 --- a/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc +++ b/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container.cc @@ -195,6 +195,10 @@ void MimeHandlerViewContainer::OnCreateMimeHandlerViewGuestACK( int element_instance_id) { DCHECK_NE(this->element_instance_id(), guestview::kInstanceIDNone); DCHECK_EQ(this->element_instance_id(), element_instance_id); + + if (!render_frame()) + return; + render_frame()->AttachGuest(element_instance_id); } @@ -207,6 +211,9 @@ void MimeHandlerViewContainer::OnGuestAttached(int /* unused */, void MimeHandlerViewContainer::OnMimeHandlerViewGuestOnLoadCompleted( int /* unused */) { + if (!render_frame()) + return; + guest_loaded_ = true; if (pending_messages_.empty()) return; @@ -234,6 +241,10 @@ void MimeHandlerViewContainer::CreateMimeHandlerViewGuest() { DCHECK(!stream_url.spec().empty()); DCHECK_NE(element_instance_id(), guestview::kInstanceIDNone); + + if (!render_frame()) + return; + render_frame()->Send(new ExtensionHostMsg_CreateMimeHandlerViewGuest( render_frame()->GetRoutingID(), stream_url.spec(), original_url_.spec(), mime_type_, element_instance_id())); |