[ MimeHandlerView ] Provisional fix for a browser crash
When a MimeHandlerView related resource is intercepted by the
PluginResponseInterceptorURLLoaderThrottle, loading is deferred to when
a MimeHandlerViewEmbedder is created on UI thread. However, this has
caused browser crashes on IO thread when PRIULT resumes loading. The
reason could be that PRIULT has *somehow* gone away and since the
callback uses the raw pointer for binding, it might be causing a UaF.
This CL uses a weak pointer for the callback as a provisional fix.
Bug: 966793
Change-Id: I24d8913ccb8fec52eb588b654febbb42f0880a15
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1626339
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Ehsan Karamad <ekaramad@chromium.org>
Cr-Commit-Position: refs/heads/master@{#663112}
diff --git a/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.cc b/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.cc
index a5cfe82..8daf0beba 100644
--- a/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.cc
+++ b/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.cc
@@ -28,7 +28,8 @@
int frame_tree_node_id)
: resource_context_(resource_context),
resource_type_(resource_type),
- frame_tree_node_id_(frame_tree_node_id) {}
+ frame_tree_node_id_(frame_tree_node_id),
+ weak_factory_(this) {}
PluginResponseInterceptorURLLoaderThrottle::
~PluginResponseInterceptorURLLoaderThrottle() = default;
@@ -78,7 +79,7 @@
&payload, &data_pipe_size,
base::BindOnce(
&PluginResponseInterceptorURLLoaderThrottle::ResumeLoad,
- base::Unretained(this)));
+ weak_factory_.GetWeakPtr()));
mojo::DataPipe data_pipe(data_pipe_size);
uint32_t len = static_cast<uint32_t>(payload.size());
diff --git a/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.h b/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.h
index 63504c9..061a7b5d 100644
--- a/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.h
+++ b/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.h
@@ -8,6 +8,7 @@
#include <string>
#include "base/macros.h"
+#include "base/memory/weak_ptr.h"
#include "content/public/common/url_loader_throttle.h"
namespace content {
@@ -44,6 +45,9 @@
const int resource_type_;
const int frame_tree_node_id_;
+ base::WeakPtrFactory<PluginResponseInterceptorURLLoaderThrottle>
+ weak_factory_;
+
DISALLOW_COPY_AND_ASSIGN(PluginResponseInterceptorURLLoaderThrottle);
};
