diff options
| author | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-08-07 03:32:47 +0000 |
|---|---|---|
| committer | tsepez@chromium.org <tsepez@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-08-07 03:32:47 +0000 |
| commit | b2aa9cee3f42207501413426b0bd9c344af52568 (patch) | |
| tree | 73aab406f8ff9d13801e4068a05a6093e1946b4d /pdf | |
| parent | 82307f6b304d5049d360db170b256bd4afe5eec9 (diff) | |
| download | chromium_src-b2aa9cee3f42207501413426b0bd9c344af52568.zip chromium_src-b2aa9cee3f42207501413426b0bd9c344af52568.tar.gz chromium_src-b2aa9cee3f42207501413426b0bd9c344af52568.tar.bz2 | |
Fix UAF in chrome_pdf::Instance::GetURL()
The instance owns the engine via its engine_ scoped_ptr, so if the engine is
being destroyed via the scoped_ptr destructor, it may not be safe to access
anything in the instance since the instance may be partially destroyed. Instead,
destroy the engine as the first step in the process so the instance is still
intact.
BUG=392956
Review URL: https://codereview.chromium.org/427583003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@287955 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'pdf')
| -rw-r--r-- | pdf/instance.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/pdf/instance.cc b/pdf/instance.cc index 4eabd26..d779089 100644 --- a/pdf/instance.cc +++ b/pdf/instance.cc @@ -307,6 +307,9 @@ Instance::Instance(PP_Instance instance) } Instance::~Instance() { + // The engine may try to access this instance during its destruction. + // Make sure this happens early while the instance is still intact. + engine_.reset(); RemovePerInstanceObject(kPPPPdfInterface, this); } |