diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-07 22:15:13 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-07 22:15:13 +0000 |
| commit | 61e1f782242a5e85098fdff8179daab0e862e66a (patch) | |
| tree | 65ba6183167e0c3092cbadeb41c1f9bd2a458658 /webkit/plugins | |
| parent | 86bb90c138020c272bb9e05ef63332c593ddba46 (diff) | |
| download | chromium_src-61e1f782242a5e85098fdff8179daab0e862e66a.zip chromium_src-61e1f782242a5e85098fdff8179daab0e862e66a.tar.gz chromium_src-61e1f782242a5e85098fdff8179daab0e862e66a.tar.bz2 | |
Fix for a plugin crasher which occurs in the context of NPP_Destroy. The plugin invokes NPN_MemFree
in this context and we crash while invoking the destructor of the PluginHost as the reference
count of the PluginHost object is 0. It is not clear as to why this happens as the PluginHost
object is implemented as a singleton with a static scoped_refptr object around to ensure
that the ref count is at least 1 until the CRT is around. From the dump it appears that CRT
is still valid.
In any case we don't need to validate the host pointers in NPN_MemAlloc and NPN_MemFree.
Will look further in the code to see if there is any misuse of the PluginHost pointer.
BUG=68767
TESt=none
Review URL: http://codereview.chromium.org/6134001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@70791 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/plugins')
| -rw-r--r-- | webkit/plugins/npapi/plugin_host.cc | 21 |
1 files changed, 7 insertions, 14 deletions
diff --git a/webkit/plugins/npapi/plugin_host.cc b/webkit/plugins/npapi/plugin_host.cc index 52c2a96..7bea68b 100644 --- a/webkit/plugins/npapi/plugin_host.cc +++ b/webkit/plugins/npapi/plugin_host.cc @@ -292,24 +292,17 @@ using webkit::npapi::WebPlugin; // Allocates memory from the host's memory space. void* NPN_MemAlloc(uint32_t size) { - scoped_refptr<PluginHost> host(PluginHost::Singleton()); - if (host != NULL) { - // Note: We must use the same allocator/deallocator - // that is used by the javascript library, as some of the - // JS APIs will pass memory to the plugin which the plugin - // will attempt to free. - return malloc(size); - } - return NULL; + // Note: We must use the same allocator/deallocator + // that is used by the javascript library, as some of the + // JS APIs will pass memory to the plugin which the plugin + // will attempt to free. + return malloc(size); } // Deallocates memory from the host's memory space void NPN_MemFree(void* ptr) { - scoped_refptr<PluginHost> host(PluginHost::Singleton()); - if (host != NULL) { - if (ptr != NULL && ptr != reinterpret_cast<void*>(-1)) - free(ptr); - } + if (ptr != NULL && ptr != reinterpret_cast<void*>(-1)) + free(ptr); } // Requests that the host free a specified amount of memory. |