commit a80776332fd8c99b58beab5d91a6675e85013628
author rob <rob@robwu.nl> Mon Jul 04 23:45:35 2016
committer Commit bot <commit-bot@chromium.org> Mon Jul 04 23:47:23 2016
tree 53947208542f97840f733119487f7a544ae74a0a
parent bb49f9533c3460c8a608e3277fd2151a55b81c90

Avoid using stale UserScript pointers

BUG=625393
TEST=Manually. Compile Chrome with ASAN and follow the steps from the bug report.

Review-Url: https://codereview.chromium.org/2116923002
Cr-Commit-Position: refs/heads/master@{#403725}

extensions/renderer/user_script_injector.cc

diff --git a/extensions/renderer/user_script_injector.cc b/extensions/renderer/user_script_injector.cc
index 71b41eb..1910548 100644
--- a/extensions/renderer/user_script_injector.cc
+++ b/extensions/renderer/user_script_injector.cc
@@ -104,8 +104,10 @@
     const std::vector<UserScript*>& scripts) {
   // If the host causing this injection changed, then this injection
   // will be removed, and there's no guarantee the backing script still exists.
-  if (changed_hosts.count(host_id_) > 0)
+  if (changed_hosts.count(host_id_) > 0) {
+    script_ = nullptr;
     return;
+  }
 
   for (std::vector<UserScript*>::const_iterator iter = scripts.begin();
        iter != scripts.end();
@@ -137,13 +139,13 @@
 
 bool UserScriptInjector::ShouldInjectJs(
     UserScript::RunLocation run_location) const {
-  return script_->run_location() == run_location &&
+  return script_ && script_->run_location() == run_location &&
          !script_->js_scripts().empty();
 }
 
 bool UserScriptInjector::ShouldInjectCss(
     UserScript::RunLocation run_location) const {
-  return run_location == UserScript::DOCUMENT_START &&
+  return script_ && run_location == UserScript::DOCUMENT_START &&
          !script_->css_scripts().empty();
 }
 
@@ -151,6 +153,11 @@
     const InjectionHost* injection_host,
     blink::WebLocalFrame* web_frame,
     int tab_id) const {
+  // There is no harm in allowing the injection when the script is gone,
+  // because there is nothing to inject.
+  if (!script_)
+    return PermissionsData::ACCESS_ALLOWED;
+
   if (script_->consumer_instance_type() ==
           UserScript::ConsumerInstanceType::WEBVIEW) {
     int routing_id = content::RenderView::FromWebView(web_frame->top()->view())
@@ -191,9 +198,12 @@
 
 std::vector<blink::WebScriptSource> UserScriptInjector::GetJsSources(
     UserScript::RunLocation run_location) const {
+  std::vector<blink::WebScriptSource> sources;
+  if (!script_)
+    return sources;
+
   DCHECK_EQ(script_->run_location(), run_location);
 
-  std::vector<blink::WebScriptSource> sources;
   const UserScript::FileList& js_scripts = script_->js_scripts();
 
   for (UserScript::FileList::const_iterator iter = js_scripts.begin();
@@ -224,6 +234,9 @@
   DCHECK_EQ(UserScript::DOCUMENT_START, run_location);
 
   std::vector<std::string> sources;
+  if (!script_)
+    return sources;
+
   const UserScript::FileList& css_scripts = script_->css_scripts();
   for (UserScript::FileList::const_iterator iter = css_scripts.begin();
        iter != css_scripts.end();
@@ -236,6 +249,9 @@
 void UserScriptInjector::GetRunInfo(
     ScriptsRunInfo* scripts_run_info,
     UserScript::RunLocation run_location) const {
+  if (!script_)
+    return;
+
   if (ShouldInjectJs(run_location)) {
     const UserScript::FileList& js_scripts = script_->js_scripts();
     scripts_run_info->num_js += js_scripts.size();