Fix use-after-free in gfx::Image.

ToImageSkia, ToUIImage and ToNSImage would insert an ImageRep into the
map, then return the pointer to the ImageRep. If the map already
contained a rep of that type, the new rep gets freed and the returned
pointer is dangling. Adds a CHECK for this case so it will now crash
cleanly.

This should not happen, but it is evidently possible. This could mean
that ToImageSkia is being called from two threads at the same time
(which is bad, because gfx::Image is not thread safe).

BUG=590882

Review URL: https://codereview.chromium.org/1773433002

Cr-Commit-Position: refs/heads/master@{#381141}

2 files changed, 8 insertions, 2 deletions

diff --git a/ui/gfx/image/image.cc b/ui/gfx/image/image.cc
index 9b59496..86cc83a 100644
--- a/ui/gfx/image/image.cc
+++ b/ui/gfx/image/image.cc
@@ -752,7 +752,12 @@ internal::ImageRep* Image::GetRepresentation(
 void Image::AddRepresentation(scoped_ptr<internal::ImageRep> rep) const {
   CHECK(storage_.get());
   RepresentationType type = rep->type();
-  storage_->representations().insert(std::make_pair(type, std::move(rep)));
+  auto result =
+      storage_->representations().insert(std::make_pair(type, std::move(rep)));
+
+  // insert should not fail (implies that there was already a representation of
+  // that type in the map).
+  CHECK(result.second) << "type was already in map.";
 }
 
 }  // namespace gfx
diff --git a/ui/gfx/image/image.h b/ui/gfx/image/image.h
index ec05b26..38a5ea9 100644
--- a/ui/gfx/image/image.h
+++ b/ui/gfx/image/image.h
@@ -183,7 +183,8 @@ class GFX_EXPORT Image {
   internal::ImageRep* GetRepresentation(
       RepresentationType rep_type, bool must_exist) const;
 
-  // Stores a representation into the map.
+  // Stores a representation into the map. A representation of that type must
+  // not already be in the map.
   void AddRepresentation(scoped_ptr<internal::ImageRep> rep) const;
 
   // Internal class that holds all the representations. This allows the Image to