diff options
author | mkosiba@chromium.org <mkosiba@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-08 18:07:31 +0000 |
---|---|---|
committer | mkosiba@chromium.org <mkosiba@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-08 18:07:31 +0000 |
commit | 174bdd0817c4060a87582d7fa835d7b511173627 (patch) | |
tree | 3e1e25fa36f39ab90be578e04409c88174b97576 /sync/engine | |
parent | 12594b927d6e80f4b13bdbe1e1cdab360e02cdec (diff) | |
download | chromium_src-174bdd0817c4060a87582d7fa835d7b511173627.zip chromium_src-174bdd0817c4060a87582d7fa835d7b511173627.tar.gz chromium_src-174bdd0817c4060a87582d7fa835d7b511173627.tar.bz2 |
[android_webview] Fix UAF in request interception code.
It was possible for any of the tasks posted by the
AndroidStreamReaderURLRequestJob to access the InterceptedRequestData
after the URLRequest owning that data structure was deleted
The fix is to make the newly created job's Delgate own the
InterceptedRequestData since the AndroidStreamReaderURLRequestJob takes
care to not delete the Delegate before all async tasks have finished.
BUG=internal b/11520856
TEST=AndroidWebViewTest
Android-only CL, trybots happy.
NOTRY=true
Review URL: https://codereview.chromium.org/61653004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@233937 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sync/engine')
0 files changed, 0 insertions, 0 deletions