summaryrefslogtreecommitdiffstats
path: root/tools
diff options
context:
space:
mode:
authorpliard@chromium.org <pliard@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-09-13 09:06:33 +0000
committerpliard@chromium.org <pliard@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-09-13 09:06:33 +0000
commit40b419f07d4d3ee4c16093bc06f3cdd115afe5ee (patch)
tree1ea2779c342856bb7bc6e69e5d97eef3e972984f /tools
parentfdf631e51042853d94ae91426993098ece338345 (diff)
downloadchromium_src-40b419f07d4d3ee4c16093bc06f3cdd115afe5ee.zip
chromium_src-40b419f07d4d3ee4c16093bc06f3cdd115afe5ee.tar.gz
chromium_src-40b419f07d4d3ee4c16093bc06f3cdd115afe5ee.tar.bz2
Fix user-after-free when create/open operations outlive the backend.
There were two main issues: - On completion an operation should not only conditionnally dereference the backend pointer but also the state that is indirectly tied to it (e.g. the Entry output pointer provided by the client). - Operations initiated through the backend (e.g. create/open) should not invoke the client-provided completion callback if the backend is already destroyed. This is explicitly stated in the disk_cache API. BUG=288963 Review URL: https://chromiumcodereview.appspot.com/23981005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@223013 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'tools')
0 files changed, 0 insertions, 0 deletions