diff options
author | Kenichi Ishibashi <bashi@chromium.org> | 2023-04-18 05:58:29 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 09:00:36 +0000 |
commit | 02dae3cb78501355b8419078cd0574a56f6d8e9a (patch) | |
tree | 809942b190878970306e9d312505f1b1f58b3bb9 | |
parent | 156138117d86daf4a80950d419fb1a2405241368 (diff) | |
download | qtwebengine-chromium-02dae3cb78501355b8419078cd0574a56f6d8e9a.tar.gz |
[Backport] Security bug 1428820 (3/3)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4437791:
Check callback availability in SpdyProxyClientSocket::RunWriteCallback
OnClose() could consume `write_callback_` so it may not be available
when RunWriteCallback() is invoked.
Bug: 1428820
Change-Id: I9a5ade62d67f5bf15e12d0915d1ad6098657ffd4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4437791
Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
Reviewed-by: Adam Rice <ricea@chromium.org>
Commit-Queue: Kenichi Ishibashi <bashi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1131689}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474647
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/net/spdy/spdy_proxy_client_socket.cc | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/chromium/net/spdy/spdy_proxy_client_socket.cc b/chromium/net/spdy/spdy_proxy_client_socket.cc index d9b67febc27..bdcf24a1cb6 100644 --- a/chromium/net/spdy/spdy_proxy_client_socket.cc +++ b/chromium/net/spdy/spdy_proxy_client_socket.cc @@ -278,10 +278,11 @@ int SpdyProxyClientSocket::GetLocalAddress(IPEndPoint* address) const { } void SpdyProxyClientSocket::RunWriteCallback(int result) { - CHECK(write_callback_); - base::WeakPtr<SpdyProxyClientSocket> weak_ptr = weak_factory_.GetWeakPtr(); - std::move(write_callback_).Run(result); + // `write_callback_` might be consumed by OnClose(). + if (write_callback_) { + std::move(write_callback_).Run(result); + } if (!weak_ptr) { // `this` was already destroyed while running `write_callback_`. Must // return immediately without touching any field member. |