1 files changed, 16 insertions, 13 deletions

diff --git a/sandbox/mac/launchd_interception_server.cc b/sandbox/mac/launchd_interception_server.cc
index 919f207..3cb1821 100644
--- a/sandbox/mac/launchd_interception_server.cc
+++ b/sandbox/mac/launchd_interception_server.cc
@@ -76,6 +76,12 @@ bool LaunchdInterceptionServer::Initialize() {
     return false;
   }
   sandbox_port_.reset(port);
+  if ((kr = mach_port_insert_right(task, sandbox_port_, sandbox_port_,
+          MACH_MSG_TYPE_MAKE_SEND) != KERN_SUCCESS)) {
+    MACH_LOG(ERROR, kr) << "Failed to allocate dummy sandbox port send right.";
+    return false;
+  }
+  sandbox_send_port_.reset(sandbox_port_);
 
   // Set up the dispatch queue to service the bootstrap port.
   // TODO(rsesek): Specify DISPATCH_QUEUE_SERIAL, in the 10.7 SDK. NULL means
@@ -216,16 +222,13 @@ void LaunchdInterceptionServer::HandleLookUp(mach_msg_header_t* request,
     else
       result_port = rule.substitute_port;
 
-    // Grant an additional send right on the result_port so that it can be
-    // sent to the sandboxed child process.
-    kern_return_t kr = mach_port_insert_right(mach_task_self(),
-        result_port, result_port, MACH_MSG_TYPE_MAKE_SEND);
-    if (kr != KERN_SUCCESS) {
-      MACH_LOG(ERROR, kr) << "Unable to insert right on result_port.";
-    }
-
     compat_shim_.look_up2_fill_reply(reply, result_port);
-    SendReply(reply);
+    // If the message was sent successfully, clear the result_port out of the
+    // message so that it is not destroyed at the end of ReceiveMessage. The
+    // above-inserted right has been moved out of the process, and destroying
+    // the message will unref yet another right.
+    if (SendReply(reply))
+      compat_shim_.look_up2_fill_reply(reply, MACH_PORT_NULL);
   } else {
     NOTREACHED();
   }
@@ -246,12 +249,12 @@ void LaunchdInterceptionServer::HandleSwapInteger(mach_msg_header_t* request,
   }
 }
 
-void LaunchdInterceptionServer::SendReply(mach_msg_header_t* reply) {
+bool LaunchdInterceptionServer::SendReply(mach_msg_header_t* reply) {
   kern_return_t kr = mach_msg(reply, MACH_SEND_MSG, reply->msgh_size, 0,
       MACH_PORT_NULL, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
-  if (kr != KERN_SUCCESS) {
-    MACH_LOG(ERROR, kr) << "Unable to send intercepted reply message.";
-  }
+  MACH_LOG_IF(ERROR, kr != KERN_SUCCESS, kr)
+      << "Unable to send intercepted reply message.";
+  return kr == KERN_SUCCESS;
 }
 
 void LaunchdInterceptionServer::ForwardMessage(mach_msg_header_t* request,