Fix potential UaF in ConversionStorage
Currently, ConversionStorageSql is instantiated and owned by a
ConversionManager instance. ConversionStorageSql is solely accessed
through a SequencedTaskRunner, and is deleted on the same sequence that
it is accessed. ConversionStorageSql also holds a pointer to the manager
which implements the ConversionStorage::Delegate.
Because of this setup, it is possible for the ConversionManager to be
destroyed when there are still storage tasks in the queue that require
a StorageDelegate. Because the storage instance is deleted on the
sequence, the pointer to the ConversionManager is no longer valid and it
will still be accessed.
This change fixes this potential behavior by moving the Delegate
implementation off ConversionManager, and into a separate class that is
only accessed on the storage sequence and owned by ConversionStorageSql.
Because ConversionPolicy cannot be shared, storage related methods are
pulled onto the DelegateImpl.
Bug: 1059840
Change-Id: Ie0fdf7a07d3dbe75359bb29b0dfea8a973ca3db7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2095435
Commit-Queue: John Delaney <[email protected]>
Reviewed-by: Charlie Harrison <[email protected]>
Cr-Commit-Position: refs/heads/master@{#756454}
diff --git a/content/browser/BUILD.gn b/content/browser/BUILD.gn
index 5ecf27a..2257dc4 100644
--- a/content/browser/BUILD.gn
+++ b/content/browser/BUILD.gn
@@ -689,6 +689,8 @@
"conversions/conversion_report.cc",
"conversions/conversion_report.h",
"conversions/conversion_storage.h",
+ "conversions/conversion_storage_delegate_impl.cc",
+ "conversions/conversion_storage_delegate_impl.h",
"conversions/conversion_storage_sql.cc",
"conversions/conversion_storage_sql.h",
"conversions/storable_conversion.cc",
