[ MimeHandlerView ] Provisional fix for a browser crash

When a MimeHandlerView related resource is intercepted by the PluginResponseInterceptorURLLoaderThrottle, loading is deferred to when a MimeHandlerViewEmbedder is created on UI thread. However, this has caused browser crashes on IO thread when PRIULT resumes loading. The reason could be that PRIULT has *somehow* gone away and since the callback uses the raw pointer for binding, it might be causing a UaF. This CL uses a weak pointer for the callback as a provisional fix. Bug: 966793 Change-Id: I24d8913ccb8fec52eb588b654febbb42f0880a15 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1626339 Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/heads/master@{#663112}
marcosholgado · May 24, 2019 · 6ce9915 · 6ce9915
1 parent e1bb98d
commit 6ce9915
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.cc b/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.cc
@@ -28,7 +28,8 @@ PluginResponseInterceptorURLLoaderThrottle::
         int frame_tree_node_id)
     : resource_context_(resource_context),
       resource_type_(resource_type),
-      frame_tree_node_id_(frame_tree_node_id) {}
+      frame_tree_node_id_(frame_tree_node_id),
+      weak_factory_(this) {}
 
 PluginResponseInterceptorURLLoaderThrottle::
     ~PluginResponseInterceptorURLLoaderThrottle() = default;
@@ -78,7 +79,7 @@ void PluginResponseInterceptorURLLoaderThrottle::WillProcessResponse(
           &payload, &data_pipe_size,
           base::BindOnce(
               &PluginResponseInterceptorURLLoaderThrottle::ResumeLoad,
-              base::Unretained(this)));
+              weak_factory_.GetWeakPtr()));
 
   mojo::DataPipe data_pipe(data_pipe_size);
   uint32_t len = static_cast<uint32_t>(payload.size());

diff --git a/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.h b/chrome/browser/plugins/plugin_response_interceptor_url_loader_throttle.h
@@ -8,6 +8,7 @@
 #include <string>
 
 #include "base/macros.h"
+#include "base/memory/weak_ptr.h"
 #include "content/public/common/url_loader_throttle.h"
 
 namespace content {
@@ -44,6 +45,9 @@ class PluginResponseInterceptorURLLoaderThrottle
   const int resource_type_;
   const int frame_tree_node_id_;
 
+  base::WeakPtrFactory<PluginResponseInterceptorURLLoaderThrottle>
+      weak_factory_;
+
   DISALLOW_COPY_AND_ASSIGN(PluginResponseInterceptorURLLoaderThrottle);
 };