commit 2acf3a524eef125b911232b34d3b8df7b27b46fc
author tmdiep@chromium.org <tmdiep@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Thu Feb 13 00:26:00 2014
committer tmdiep@chromium.org <tmdiep@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Thu Feb 13 00:26:00 2014
tree 9df5a2d0038db0a00b97c68d0251e19f19048f1e
parent 337732c87d5326467a17e99b343fd155e770bd64

Fix use-after-free in WebstoreInstaller

Crashes are still occurring in WebstoreInstaller::StartDownload(),
even after several attempts to fix them.

Diagnosis:
The installer holds a pointer to contents::NavigationController.
This object is owned by contents::WebContents, which can be deleted
before the StartDownload() callback is invoked.

Fix:
Store a pointer to contents::WebContents. Inherit from 
content::WebContentsObserver, which will clear the pointer when
the WebContents are destroyed.

BUG=165634

Review URL: https://codereview.chromium.org/138803012

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@250865 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/extensions/webstore_installer.h

diff --git a/chrome/browser/extensions/webstore_installer.h b/chrome/browser/extensions/webstore_installer.h
index 7e48bb82..a8b6ce4 100644
--- a/chrome/browser/extensions/webstore_installer.h
+++ b/chrome/browser/extensions/webstore_installer.h
@@ -20,6 +20,7 @@
 #include "content/public/browser/download_item.h"
 #include "content/public/browser/notification_observer.h"
 #include "content/public/browser/notification_registrar.h"
+#include "content/public/browser/web_contents_observer.h"
 #include "extensions/common/manifest_handlers/shared_module_info.h"
 #include "ui/gfx/image/image_skia.h"
 #include "url/gurl.h"
@@ -31,7 +32,7 @@
 }
 
 namespace content {
-class NavigationController;
+class WebContents;
 }
 
 namespace extensions {
@@ -40,9 +41,10 @@
 class Manifest;
 
 // Downloads and installs extensions from the web store.
-class WebstoreInstaller :public content::NotificationObserver,
-                         public content::DownloadItem::Observer,
-                         public base::RefCountedThreadSafe<
+class WebstoreInstaller : public content::NotificationObserver,
+                          public content::DownloadItem::Observer,
+                          public content::WebContentsObserver,
+                          public base::RefCountedThreadSafe<
   WebstoreInstaller, content::BrowserThread::DeleteOnUIThread> {
  public:
   enum InstallSource {
@@ -172,7 +174,7 @@
   // Note: the delegate should stay alive until being called back.
   WebstoreInstaller(Profile* profile,
                     Delegate* delegate,
-                    content::NavigationController* controller,
+                    content::WebContents* web_contents,
                     const std::string& id,
                     scoped_ptr<Approval> approval,
                     InstallSource source);
@@ -237,7 +239,6 @@
   content::NotificationRegistrar registrar_;
   Profile* profile_;
   Delegate* delegate_;
-  content::NavigationController* controller_;
   std::string id_;
   InstallSource install_source_;
   // The DownloadItem is owned by the DownloadManager and is valid from when