diff options
| author | teravest@chromium.org <teravest@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-04-26 22:02:53 +0000 |
|---|---|---|
| committer | teravest@chromium.org <teravest@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-04-26 22:02:53 +0000 |
| commit | 6018116f1cd8989b77a5f29b7afa5616875cad6d (patch) | |
| tree | cd9e9e90194b523aa8bd635b57508754f77422e1 /ppapi/proxy | |
| parent | 7eac08ec6eb00fbfbcd8c9dfb87ab64b2ef598bc (diff) | |
| download | chromium_src-6018116f1cd8989b77a5f29b7afa5616875cad6d.zip chromium_src-6018116f1cd8989b77a5f29b7afa5616875cad6d.tar.gz chromium_src-6018116f1cd8989b77a5f29b7afa5616875cad6d.tar.bz2 | |
Pepper: Fix use-after-free bug in PluginVarTracker.
A PluginDispatcher may destroy itself in reaction to a channel error. However,
ProxyObjectVar instances may still have a pointer to the (destroyed)
dispatcher. This is problematic when the plugin wants to send a message to the
host to release the object; the ProxyObjectVar doesn't know the
PluginDispatcher has been deleted.
This change alters PluginDispatcher to invoke DidDeleteDispatcher() on the
PluginVarTracker, which will clean up the dangling dispatcher pointers.
BUG=233044
Review URL: https://chromiumcodereview.appspot.com/14054020
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@196850 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'ppapi/proxy')
| -rw-r--r-- | ppapi/proxy/plugin_dispatcher.cc | 3 | ||||
| -rw-r--r-- | ppapi/proxy/plugin_var_tracker.cc | 22 | ||||
| -rw-r--r-- | ppapi/proxy/plugin_var_tracker.h | 4 | ||||
| -rw-r--r-- | ppapi/proxy/proxy_object_var.h | 2 |
4 files changed, 26 insertions, 5 deletions
diff --git a/ppapi/proxy/plugin_dispatcher.cc b/ppapi/proxy/plugin_dispatcher.cc index 812b2e9..8cac63f 100644 --- a/ppapi/proxy/plugin_dispatcher.cc +++ b/ppapi/proxy/plugin_dispatcher.cc @@ -20,6 +20,7 @@ #include "ppapi/proxy/gamepad_resource.h" #include "ppapi/proxy/interface_list.h" #include "ppapi/proxy/interface_proxy.h" +#include "ppapi/proxy/plugin_globals.h" #include "ppapi/proxy/plugin_message_filter.h" #include "ppapi/proxy/plugin_resource_tracker.h" #include "ppapi/proxy/plugin_var_serialization_rules.h" @@ -77,6 +78,8 @@ PluginDispatcher::PluginDispatcher(PP_GetInterface_Func get_interface, } PluginDispatcher::~PluginDispatcher() { + PluginGlobals::Get()->plugin_var_tracker()->DidDeleteDispatcher(this); + if (plugin_delegate_) plugin_delegate_->Unregister(plugin_dispatcher_id_); diff --git a/ppapi/proxy/plugin_var_tracker.cc b/ppapi/proxy/plugin_var_tracker.cc index 14a8584..4561ac5 100644 --- a/ppapi/proxy/plugin_var_tracker.cc +++ b/ppapi/proxy/plugin_var_tracker.cc @@ -188,6 +188,16 @@ void PluginVarTracker::DidDeleteInstance(PP_Instance instance) { } } +void PluginVarTracker::DidDeleteDispatcher(PluginDispatcher* dispatcher) { + for (size_t i = 0; i < live_vars_.size(); ++i) { + if (live_vars_[i].var.get() == NULL) + continue; + ProxyObjectVar* object = live_vars_[i].var->AsProxyObjectVar(); + if (object && object->dispatcher() == dispatcher) + object->clear_dispatcher(); + } +} + ArrayBufferVar* PluginVarTracker::CreateArrayBuffer(uint32 size_in_bytes) { return new PluginArrayBufferVar(size_in_bytes); } @@ -340,14 +350,18 @@ PP_Var PluginVarTracker::GetOrCreateObjectVarID(ProxyObjectVar* object) { void PluginVarTracker::SendAddRefObjectMsg( const ProxyObjectVar& proxy_object) { int unused; - proxy_object.dispatcher()->Send(new PpapiHostMsg_PPBVar_AddRefObject( - API_ID_PPB_VAR_DEPRECATED, proxy_object.host_var_id(), &unused)); + if (proxy_object.dispatcher()) { + proxy_object.dispatcher()->Send(new PpapiHostMsg_PPBVar_AddRefObject( + API_ID_PPB_VAR_DEPRECATED, proxy_object.host_var_id(), &unused)); + } } void PluginVarTracker::SendReleaseObjectMsg( const ProxyObjectVar& proxy_object) { - proxy_object.dispatcher()->Send(new PpapiHostMsg_PPBVar_ReleaseObject( - API_ID_PPB_VAR_DEPRECATED, proxy_object.host_var_id())); + if (proxy_object.dispatcher()) { + proxy_object.dispatcher()->Send(new PpapiHostMsg_PPBVar_ReleaseObject( + API_ID_PPB_VAR_DEPRECATED, proxy_object.host_var_id())); + } } scoped_refptr<ProxyObjectVar> PluginVarTracker::FindOrMakePluginVarFromHostVar( diff --git a/ppapi/proxy/plugin_var_tracker.h b/ppapi/proxy/plugin_var_tracker.h index a8b229397..ca8b978 100644 --- a/ppapi/proxy/plugin_var_tracker.h +++ b/ppapi/proxy/plugin_var_tracker.h @@ -59,7 +59,7 @@ class PPAPI_PROXY_EXPORT PluginVarTracker : public VarTracker { const PP_Var& host_object); // VarTracker public overrides. - void DidDeleteInstance(PP_Instance instance) OVERRIDE; + virtual void DidDeleteInstance(PP_Instance instance) OVERRIDE; virtual int TrackSharedMemoryHandle(PP_Instance instance, base::SharedMemoryHandle file, uint32 size_in_bytes) OVERRIDE; @@ -87,6 +87,8 @@ class PPAPI_PROXY_EXPORT PluginVarTracker : public VarTracker { bool ValidatePluginObjectCall(const PPP_Class_Deprecated* ppp_class, void* user_data); + void DidDeleteDispatcher(PluginDispatcher* dispatcher); + private: // VarTracker protected overrides. virtual int32 AddVarInternal(Var* var, AddVarRefMode mode) OVERRIDE; diff --git a/ppapi/proxy/proxy_object_var.h b/ppapi/proxy/proxy_object_var.h index 5b9caa3..5991053 100644 --- a/ppapi/proxy/proxy_object_var.h +++ b/ppapi/proxy/proxy_object_var.h @@ -39,6 +39,8 @@ class PPAPI_PROXY_EXPORT ProxyObjectVar : public Var { // it's creating IDs. void AssignVarID(int32 id); + void clear_dispatcher() { dispatcher_ = NULL; } + private: proxy::PluginDispatcher* dispatcher_; int32 host_var_id_; |