Possible use-after-free when menu is closed by its item.
Reported by
gga...@opera.com,
Aug 6
|
||
Issue descriptionWhat steps will reproduce the problem? (1) Add a widget to menu which calls MenuController::Cancel() on mouse press. (2) Build and run Chrome. (3) Click the widget. What is the expected result? No object is used after it is deleted. What happens instead? During execution of MenuController::OnMousePressed() MenuController object is destroyed but the function still uses and modifies its member variables.
,
Aug 21
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/02f393b976c43d48d54f8e9cfc5bf03ea48c398a commit 02f393b976c43d48d54f8e9cfc5bf03ea48c398a Author: Grzegorz Gacek <ggacek@opera.com> Date: Tue Aug 21 10:20:45 2018 Fix possible use-after-free when menu is closed by its item. Fix use-after-free which occured when a menu contained an item closing it on a mouse press event. In such case MenuController object was freed during a call of its OnMousePressed() but it continued to modify its member variables. Bug: 871205 Change-Id: Ic2a5dd3a745da6b0c1ef7a87f2cb498cc1a97234 Reviewed-on: https://chromium-review.googlesource.com/1163617 Reviewed-by: Trent Apted <tapted@chromium.org> Commit-Queue: Trent Apted <tapted@chromium.org> Cr-Commit-Position: refs/heads/master@{#584706} [modify] https://crrev.com/02f393b976c43d48d54f8e9cfc5bf03ea48c398a/ui/views/controls/menu/menu_controller.cc [modify] https://crrev.com/02f393b976c43d48d54f8e9cfc5bf03ea48c398a/ui/views/controls/menu/menu_controller_unittest.cc
,
Aug 21
|
||
►
Sign in to add a comment |
||
Comment 1 by tapted@chromium.org
, Aug 7