Fix use-after-free in WebstoreInstaller Crashes are still occurring in WebstoreInstaller::StartDownload(), even after several attempts to fix them. Diagnosis: The installer holds a pointer to contents::NavigationController. This object is owned by contents::WebContents, which can be deleted before the StartDownload() callback is invoked. Fix: Store a pointer to contents::WebContents. Inherit from content::WebContentsObserver, which will clear the pointer when the WebContents are destroyed. BUG=165634 Review URL: https://codereview.chromium.org/138803012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@250865 0039d316-1c4b-4281-b951-d872f2087c98

commit: 2acf3a524eef125b911232b34d3b8df7b27b46fc [log] [tgz]
author: [email protected] <[email protected]@0039d316-1c4b-4281-b951-d872f2087c98> Thu Feb 13 00:26:00 2014
committer: [email protected] <[email protected]@0039d316-1c4b-4281-b951-d872f2087c98> Thu Feb 13 00:26:00 2014
tree: 9df5a2d0038db0a00b97c68d0251e19f19048f1e
parent: 337732c87d5326467a17e99b343fd155e770bd64 [diff] [blame]
diff --git a/chrome/browser/extensions/webstore_standalone_installer.cc b/chrome/browser/extensions/webstore_standalone_installer.cc
index c457b80..0fb4e79 100644
--- a/chrome/browser/extensions/webstore_standalone_installer.cc
+++ b/chrome/browser/extensions/webstore_standalone_installer.cc

@@ -254,7 +254,7 @@
   scoped_refptr<WebstoreInstaller> installer = new WebstoreInstaller(
       profile_,
       this,
-      &(GetWebContents()->GetController()),
+      GetWebContents(),
       id_,
       approval.Pass(),
       install_source_);
commit	2acf3a524eef125b911232b34d3b8df7b27b46fc	[log] [tgz]
author	[email protected] <[email protected]@0039d316-1c4b-4281-b951-d872f2087c98>	Thu Feb 13 00:26:00 2014
committer	[email protected] <[email protected]@0039d316-1c4b-4281-b951-d872f2087c98>	Thu Feb 13 00:26:00 2014
tree	9df5a2d0038db0a00b97c68d0251e19f19048f1e
parent	337732c87d5326467a17e99b343fd155e770bd64 [diff] [blame]