diff options
author | pliard@chromium.org <pliard@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-09-13 09:06:33 +0000 |
---|---|---|
committer | pliard@chromium.org <pliard@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-09-13 09:06:33 +0000 |
commit | 40b419f07d4d3ee4c16093bc06f3cdd115afe5ee (patch) | |
tree | 1ea2779c342856bb7bc6e69e5d97eef3e972984f /tools | |
parent | fdf631e51042853d94ae91426993098ece338345 (diff) | |
download | chromium_src-40b419f07d4d3ee4c16093bc06f3cdd115afe5ee.zip chromium_src-40b419f07d4d3ee4c16093bc06f3cdd115afe5ee.tar.gz chromium_src-40b419f07d4d3ee4c16093bc06f3cdd115afe5ee.tar.bz2 |
Fix user-after-free when create/open operations outlive the backend.
There were two main issues:
- On completion an operation should not only conditionnally dereference the
backend pointer but also the state that is indirectly tied to it (e.g. the
Entry output pointer provided by the client).
- Operations initiated through the backend (e.g. create/open) should not invoke
the client-provided completion callback if the backend is already destroyed.
This is explicitly stated in the disk_cache API.
BUG=288963
Review URL: https://chromiumcodereview.appspot.com/23981005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@223013 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'tools')
0 files changed, 0 insertions, 0 deletions