From 5f8cbd5751a4d2ef52974fa4b4f7ab9943db07d1 Mon Sep 17 00:00:00 2001
From: "ananta@chromium.org"
 <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Mon, 3 Nov 2008 23:21:38 +0000
Subject: This fixes bug
 http://code.google.com/p/chromium/issues/detail?id=3907, which was a crash in
 the browser in the IPC handler codepath which handles scrolling.

The crash occured because of a failure to find the backing store for the RenderWidgetHost instance. We would end up dereferencing a NULL backing store pointer and crash.

The fix for this is to check for a NULL backing store and return.

R=darin
Bug=3907


Review URL: http://codereview.chromium.org/9056

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@4517 0039d316-1c4b-4281-b951-d872f2087c98
---
 chrome/browser/render_widget_host.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chrome/browser/render_widget_host.cc b/chrome/browser/render_widget_host.cc
index 281d6aa46..055d376 100644
--- a/chrome/browser/render_widget_host.cc
+++ b/chrome/browser/render_widget_host.cc
@@ -788,7 +788,7 @@ void RenderWidgetHost::ScrollRect(HANDLE bitmap, const gfx::Rect& bitmap_rect,
   // the same size as the advertised view?  maybe we just assume there is a
   // full paint on its way?
   BackingStore* backing_store = BackingStoreManager::Lookup(this);
-  if (backing_store && backing_store->size() != view_size)
+  if (!backing_store || (backing_store->size() != view_size))
     return;
 
   RECT damaged_rect, r = clip_rect.ToRECT();
-- 
cgit v1.1