summaryrefslogtreecommitdiffstats
path: root/webkit
diff options
context:
space:
mode:
authorgavinp@chromium.org <gavinp@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-05-29 08:26:06 +0000
committergavinp@chromium.org <gavinp@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-05-29 08:26:06 +0000
commit370bd9b522d2ccd4a3113d6c93d30cdf8ca502ef (patch)
treeba198b7f702eb3921adb1911feb69fb5ee271b80 /webkit
parent02a0911dfa3567e3597492b41c94dc7d48fb209c (diff)
downloadchromium_src-370bd9b522d2ccd4a3113d6c93d30cdf8ca502ef.zip
chromium_src-370bd9b522d2ccd4a3113d6c93d30cdf8ca502ef.tar.gz
chromium_src-370bd9b522d2ccd4a3113d6c93d30cdf8ca502ef.tar.bz2
Protect WebURLLoaderImpl::Context while receiving responses.
A client's didReceiveResponse can cancel a request; by protecting the Context we avoid a use after free in this case. Interestingly, we really had very good warning about this problem, see https://codereview.chromium.org/11900002/ back in January. R=darin BUG=241139 Review URL: https://chromiumcodereview.appspot.com/15738007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@202821 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit')
-rw-r--r--webkit/glue/weburlloader_impl.cc1
1 files changed, 1 insertions, 0 deletions
diff --git a/webkit/glue/weburlloader_impl.cc b/webkit/glue/weburlloader_impl.cc
index d550422..853d437 100644
--- a/webkit/glue/weburlloader_impl.cc
+++ b/webkit/glue/weburlloader_impl.cc
@@ -637,6 +637,7 @@ void WebURLLoaderImpl::Context::OnReceivedResponse(
}
}
+ scoped_refptr<Context> protect(this);
client_->didReceiveResponse(loader_, response);
// We may have been cancelled after didReceiveResponse, which would leave us
generated by cgit v1.1 at 2025-01-17 05:51:42 +0000