diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-11 21:01:17 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-11 21:01:17 +0000 |
| commit | 91332b626ed0625764b76ec108f5de24ea7c22ed (patch) | |
| tree | 5d6d40632c7b4de720ae3dd96431caf27d17aba5 /webkit/glue | |
| parent | 02473008f5f1948494b9fb69e5781746b66f6f80 (diff) | |
| download | chromium_src-91332b626ed0625764b76ec108f5de24ea7c22ed.zip chromium_src-91332b626ed0625764b76ec108f5de24ea7c22ed.tar.gz chromium_src-91332b626ed0625764b76ec108f5de24ea7c22ed.tar.bz2 | |
Fixes a crash in the plugin process specifically in the PluginStreamUrl::DidReceiveData
function. This crash occurs if the PluginStreamUrl instance is deleted in the context of
PluginStream::Write which occurs if the underlying NPP_Write call to the plugin returns
a negative value, indicating that the plugin did not accept data. We close the stream in
this case which releases existing references to the PluginStream which results in the object
being deleted.
Added a UI test for this case.
Fixes bug http://code.google.com/p/chromium/issues/detail?id=19393
Bug=19393
Review URL: http://codereview.chromium.org/199093
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26011 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/glue')
| -rw-r--r-- | webkit/glue/plugins/plugin_stream_url.cc | 9 | ||||
| -rw-r--r-- | webkit/glue/plugins/test/plugin_client.cc | 3 | ||||
| -rw-r--r-- | webkit/glue/plugins/test/plugin_geturl_test.cc | 19 | ||||
| -rw-r--r-- | webkit/glue/plugins/test/plugin_geturl_test.h | 1 |
4 files changed, 28 insertions, 4 deletions
diff --git a/webkit/glue/plugins/plugin_stream_url.cc b/webkit/glue/plugins/plugin_stream_url.cc index 2aa2f84..ae26e62 100644 --- a/webkit/glue/plugins/plugin_stream_url.cc +++ b/webkit/glue/plugins/plugin_stream_url.cc @@ -65,9 +65,12 @@ void PluginStreamUrl::DidReceiveData(const char* buffer, int length, return; if (length > 0) { - Write(const_cast<char*>(buffer), length, data_offset); - if (id_ > 0) - instance()->webplugin()->SetDeferResourceLoading(id_, false); + // The PluginStreamUrl instance could get deleted if the plugin fails to + // accept data in NPP_Write. + if (Write(const_cast<char*>(buffer), length, data_offset) > 0) { + if (id_ > 0) + instance()->webplugin()->SetDeferResourceLoading(id_, false); + } } } diff --git a/webkit/glue/plugins/test/plugin_client.cc b/webkit/glue/plugins/test/plugin_client.cc index 2361805..66e41b8 100644 --- a/webkit/glue/plugins/test/plugin_client.cc +++ b/webkit/glue/plugins/test/plugin_client.cc @@ -99,7 +99,8 @@ NPError NPP_New(NPMIMEType pluginType, NPP instance, uint16 mode, if (test_name == "arguments") { new_test = new NPAPIClient::PluginArgumentsTest(instance, NPAPIClient::PluginClient::HostFunctions()); - } else if (test_name == "geturl" || test_name == "geturl_404_response") { + } else if (test_name == "geturl" || test_name == "geturl_404_response" || + test_name == "geturl_fail_write") { new_test = new NPAPIClient::PluginGetURLTest(instance, NPAPIClient::PluginClient::HostFunctions()); } else if (test_name == "npobject_proxy") { diff --git a/webkit/glue/plugins/test/plugin_geturl_test.cc b/webkit/glue/plugins/test/plugin_geturl_test.cc index 1a9e440..baf9080 100644 --- a/webkit/glue/plugins/test/plugin_geturl_test.cc +++ b/webkit/glue/plugins/test/plugin_geturl_test.cc @@ -46,6 +46,12 @@ NPError PluginGetURLTest::New(uint16 mode, int16 argc, const char* argn[], if (page_not_found_url) { page_not_found_url_ = page_not_found_url; expect_404_response_ = true; + } else { + const char* fail_write_url = GetArgValue("fail_write_url", argc, + argn, argv); + if (fail_write_url) { + fail_write_url_ = fail_write_url; + } } return PluginTest::New(mode, argc, argn, argv, saved); @@ -60,6 +66,9 @@ NPError PluginGetURLTest::SetWindow(NPWindow* pNPWindow) { if (expect_404_response_) { HostFunctions()->geturl(id(), page_not_found_url_.c_str(), NULL); return NPERR_NO_ERROR; + } else if (!fail_write_url_.empty()) { + HostFunctions()->geturl(id(), fail_write_url_.c_str(), NULL); + return NPERR_NO_ERROR; } std::string url = SELF_URL; @@ -107,6 +116,11 @@ NPError PluginGetURLTest::NewStream(NPMIMEType type, NPStream* stream, return NPERR_NO_ERROR; } + if (!fail_write_url_.empty()) { + return NPERR_NO_ERROR; + } + + unsigned long stream_id = reinterpret_cast<unsigned long>( stream->notifyData); @@ -160,6 +174,11 @@ int32 PluginGetURLTest::Write(NPStream *stream, int32 offset, int32 len, return PluginTest::Write(stream, offset, len, buffer); } + if (!fail_write_url_.empty()) { + SignalTestCompleted(); + return -1; + } + if (stream == NULL) SetError("Write got null stream"); if (len < 0 || len > STREAM_CHUNK) diff --git a/webkit/glue/plugins/test/plugin_geturl_test.h b/webkit/glue/plugins/test/plugin_geturl_test.h index 1ff443b..6372ef9 100644 --- a/webkit/glue/plugins/test/plugin_geturl_test.h +++ b/webkit/glue/plugins/test/plugin_geturl_test.h @@ -46,6 +46,7 @@ class PluginGetURLTest : public PluginTest { // This flag is set to true in the context of the NPN_Evaluate call. bool npn_evaluate_context_; std::string page_not_found_url_; + std::string fail_write_url_; }; } // namespace NPAPIClient |