diff options
| author | sky@chromium.org <sky@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-08-29 05:07:30 +0000 |
|---|---|---|
| committer | sky@chromium.org <sky@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-08-29 05:07:30 +0000 |
| commit | 6286f48283093034d89f6db70ae37bfe8ebc6395 (patch) | |
| tree | 5afac7191b720a9da4c49f7c0b6b4803b626e30b /ui/aura/root_window.cc | |
| parent | a598124c73a8fb39c31871620d6783608e83d964 (diff) | |
| download | chromium_src-6286f48283093034d89f6db70ae37bfe8ebc6395.zip chromium_src-6286f48283093034d89f6db70ae37bfe8ebc6395.tar.gz chromium_src-6286f48283093034d89f6db70ae37bfe8ebc6395.tar.bz2 | |
Attempt at fixing use after free in RootWindow
When capture changes CaptureController retargets all events to the
newly capture window of all RootWindows. RootWindow was not clearing
the GestureRecognizer when capture was released though, meaning a
RootWindow's GestureRecognizer could be referencing a Window the
RootWindow no longer contains. If this happened, when the Window
was deleted the RootWindow would not be notified (since it didn't
contain the Window) and wouldn't cleanup the GestureRecognizer.
We have code to do similar cleanup for mouse events, but not touch.
BUG=275756
TEST=covered by unit test
R=oshima@chromium.org, sadrul@chromium.org
Review URL: https://chromiumcodereview.appspot.com/23551006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@220207 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'ui/aura/root_window.cc')
| -rw-r--r-- | ui/aura/root_window.cc | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/ui/aura/root_window.cc b/ui/aura/root_window.cc index 1561d64..cabb118 100644 --- a/ui/aura/root_window.cc +++ b/ui/aura/root_window.cc @@ -654,6 +654,14 @@ bool RootWindow::CanReceiveEvents() const { void RootWindow::UpdateCapture(Window* old_capture, Window* new_capture) { + if (!new_capture && old_capture && old_capture->GetRootWindow() != this) { + // If we no longer contain the window that had capture make sure we clean + // state in the GestureRecognizer. Since we don't contain the window we'll + // never get notification of its destruction and clean up state. + // We do this early on as OnCaptureLost() may delete |old_capture|. + gesture_recognizer_->CleanupStateForConsumer(old_capture); + } + if (old_capture && old_capture->GetRootWindow() == this && old_capture->delegate()) { // Send a capture changed event with bogus location data. @@ -674,9 +682,8 @@ void RootWindow::UpdateCapture(Window* old_capture, } if (new_capture) { - // Make all subsequent mouse events and touch go to the capture window. We - // shouldn't need to send an event here as OnCaptureLost should take care of - // that. + // Make all subsequent mouse events go to the capture window. We shouldn't + // need to send an event here as OnCaptureLost() should take care of that. if (mouse_moved_handler_ || Env::GetInstance()->is_mouse_button_down()) mouse_moved_handler_ = new_capture; } else { |