Copy buffers in base::FileUtilProxy::{Read,Write} to avoid memory corruption.

If caller has called PPB_FileIO_Impl::Close() while a read or 
write operation is in flight, and deletes the read or write buffer, we now avoid corrupting memory. 

For Write, FileUtilProxy::Write simply copies the input buffer before passing control to the FILE thread. For Read, the caller no longer passes a buffer; instead, they are passed a const char* in the ReadCallback. 

One caller of FileUtilProxy::Read outside of PPAPI was also updated. 

BUG=70285
R=darin
Patch by Adam Klein (adamk@chromium.org)
Originally reviewed at http://codereview.chromium.org/6312040/

Review URL: http://codereview.chromium.org/6349090

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@73714 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 29 insertions, 7 deletions

diff --git a/webkit/plugins/ppapi/ppb_file_io_impl.cc b/webkit/plugins/ppapi/ppb_file_io_impl.cc
index ac8004b..fab8c7b 100644
--- a/webkit/plugins/ppapi/ppb_file_io_impl.cc
+++ b/webkit/plugins/ppapi/ppb_file_io_impl.cc
@@ -205,7 +205,8 @@ PPB_FileIO_Impl::PPB_FileIO_Impl(PluginInstance* instance)
       ALLOW_THIS_IN_INITIALIZER_LIST(callback_factory_(this)),
       file_(base::kInvalidPlatformFileValue),
       callback_(),
-      info_(NULL) {
+      info_(NULL),
+      read_buffer_(NULL) {
 }
 
 PPB_FileIO_Impl::~PPB_FileIO_Impl() {
@@ -311,10 +312,14 @@ int32_t PPB_FileIO_Impl::Read(int64_t offset,
   if (rv != PP_OK)
     return rv;
 
+  // If |read_buffer__|, a callback should be pending (caught above).
+  DCHECK(!read_buffer_);
+  read_buffer_ = buffer;
+
   if (!base::FileUtilProxy::Read(
           instance()->delegate()->GetFileThreadMessageLoopProxy(),
-          file_, offset, buffer, bytes_to_read,
-          callback_factory_.NewCallback(&PPB_FileIO_Impl::ReadWriteCallback)))
+          file_, offset, bytes_to_read,
+          callback_factory_.NewCallback(&PPB_FileIO_Impl::ReadCallback)))
     return PP_ERROR_FAILED;
 
   RegisterCallback(callback);
@@ -332,7 +337,7 @@ int32_t PPB_FileIO_Impl::Write(int64_t offset,
   if (!base::FileUtilProxy::Write(
           instance()->delegate()->GetFileThreadMessageLoopProxy(),
           file_, offset, buffer, bytes_to_write,
-          callback_factory_.NewCallback(&PPB_FileIO_Impl::ReadWriteCallback)))
+          callback_factory_.NewCallback(&PPB_FileIO_Impl::WriteCallback)))
     return PP_ERROR_FAILED;
 
   RegisterCallback(callback);
@@ -469,12 +474,29 @@ void PPB_FileIO_Impl::QueryInfoCallback(
   RunPendingCallback(PlatformFileErrorToPepperError(error_code));
 }
 
-void PPB_FileIO_Impl::ReadWriteCallback(base::PlatformFileError error_code,
-                                        int bytes_read_or_written) {
+void PPB_FileIO_Impl::ReadCallback(base::PlatformFileError error_code,
+                                   const char* data, int bytes_read) {
+  DCHECK(data);
+  DCHECK(read_buffer_);
+
+  int rv;
+  if (error_code == base::PLATFORM_FILE_OK) {
+    rv = bytes_read;
+    if (file_ != base::kInvalidPlatformFileValue)
+      memcpy(read_buffer_, data, bytes_read);
+  } else
+    rv = PlatformFileErrorToPepperError(error_code);
+
+  read_buffer_ = NULL;
+  RunPendingCallback(rv);
+}
+
+void PPB_FileIO_Impl::WriteCallback(base::PlatformFileError error_code,
+                                    int bytes_written) {
   if (error_code != base::PLATFORM_FILE_OK)
     RunPendingCallback(PlatformFileErrorToPepperError(error_code));
   else
-    RunPendingCallback(bytes_read_or_written);
+    RunPendingCallback(bytes_written);
 }
 
 }  // namespace ppapi