diff options
| author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-02-02 12:48:26 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2016-02-02 12:13:02 +0000 |
| commit | 3ffd36d63c36e5aa94a68f3ce12eb8dd20b3b44c (patch) | |
| tree | 7c8f0911be1cfaa1e09a8071018fed38852202f0 /chromium/content/renderer/render_view_browsertest.cc | |
| parent | ec84d41000c53256d348cd9ee96b912c8a8628ec (diff) | |
| download | qtwebengine-chromium-40.0.2214-based.tar.gz | |
Cherry-pick fix for CVE-2015-123740.0.2214-based
Clear RenderFrameImpl::frame_ pointer after deleting it.
Also avoid dereferencing it in OnMessageReceived after deletion.
BUG=461191
TEST=No more crashes in RenderFrameImpl::OnMessageReceived
Review URL: https://codereview.chromium.org/1007123003
Change-Id: I0f2dcd9e9e78e4255f37ddaa8d5b75b0852d9521
Reviewed-by: Michael BrĂ¼ning <michael.bruning@theqtcompany.com>
Diffstat (limited to 'chromium/content/renderer/render_view_browsertest.cc')
| -rw-r--r-- | chromium/content/renderer/render_view_browsertest.cc | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/chromium/content/renderer/render_view_browsertest.cc b/chromium/content/renderer/render_view_browsertest.cc index bc75a42a891..eb90dd17aee 100644 --- a/chromium/content/renderer/render_view_browsertest.cc +++ b/chromium/content/renderer/render_view_browsertest.cc @@ -287,6 +287,31 @@ class RenderViewImplTest : public RenderViewTest { scoped_ptr<MockKeyboard> mock_keyboard_; }; +// Test for https://crbug.com/461191. +TEST_F(RenderViewImplTest, RenderFrameMessageAfterDetach) { + // Create a new main frame RenderFrame so that we don't interfere with the + // shutdown of frame() in RenderViewTest.TearDown. + blink::WebURLRequest popup_request(GURL("http://foo.com")); + blink::WebView* new_web_view = view()->createView( + GetMainFrame(), popup_request, blink::WebWindowFeatures(), "foo", + blink::WebNavigationPolicyNewForegroundTab, false); + RenderViewImpl* new_view = RenderViewImpl::FromWebView(new_web_view); + RenderFrameImpl* new_frame = + static_cast<RenderFrameImpl*>(new_view->GetMainRenderFrame()); + + // Detach the main frame. + new_view->Close(); + + // Before the frame is asynchronously deleted, it may receive a message. + // We should not crash here, and the message should not be processed. + scoped_ptr<const IPC::Message> msg( + new FrameMsg_Stop(frame()->GetRoutingID())); + EXPECT_FALSE(new_frame->OnMessageReceived(*msg)); + + // Clean up after the new view so we don't leak it. + new_view->Release(); +} + TEST_F(RenderViewImplTest, SaveImageFromDataURL) { const IPC::Message* msg1 = render_thread_->sink().GetFirstMessageMatching( ViewHostMsg_SaveImageFromDataURL::ID); |