From fb6ec999c0d049c78b16ca6106d5e45624f94ac8 Mon Sep 17 00:00:00 2001 From: "jar@chromium.org" Date: Mon, 3 Aug 2009 07:01:47 +0000 Subject: Add defensive code in pickle to preclude realloc of shared header_ memory. Since I was able to (some how) generate a problem with header_ being double freed (perhaps, because it was shared in some way??), this change adds several lines of defensive coding. The current assignment operator appears very dangerous, as it allowed Resize to be called when the header_ was not owned by the instance (it was read-only). I haven't found a path to cause a problem, but we may as well be defensive. BUG=17027 BUG=17088 r=CPU Review URL: http://codereview.chromium.org/160490 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22261 0039d316-1c4b-4281-b951-d872f2087c98 --- base/pickle.cc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'base') diff --git a/base/pickle.cc b/base/pickle.cc index e491832..31bf5b7 100644 --- a/base/pickle.cc +++ b/base/pickle.cc @@ -65,12 +65,16 @@ Pickle::~Pickle() { } Pickle& Pickle::operator=(const Pickle& other) { - if (header_size_ != other.header_size_ && capacity_ != kCapacityReadOnly) { + if (capacity_ == kCapacityReadOnly) { + header_ = NULL; + capacity_ = 0; + } + if (header_size_ != other.header_size_) { free(header_); header_ = NULL; header_size_ = other.header_size_; } - bool resized = Resize(other.header_size_ + other.header_->payload_size); + bool resized = Resize(header_size_ + other.header_->payload_size); CHECK(resized); // Realloc failed. memcpy(header_, other.header_, header_size_ + other.header_->payload_size); variable_buffer_offset_ = other.variable_buffer_offset_; @@ -365,6 +369,7 @@ void Pickle::TrimWriteData(int new_length) { bool Pickle::Resize(size_t new_capacity) { new_capacity = AlignInt(new_capacity, kPayloadUnit); + CHECK(capacity_ != kCapacityReadOnly); void* p = realloc(header_, new_capacity); if (!p) return false; -- cgit v1.1