From 847466627013483020c6683c303752b6fab97b97 Mon Sep 17 00:00:00 2001 From: isherman Date: Wed, 11 Mar 2015 13:36:06 -0700 Subject: [PATCH] Fix a null-pointer dereference in ChromeOS Bluetooth code. The code had undefined behavior, depending on what order the compiler chose to evaluate the arguments in. Specifically, the call to RegisterProfile() required evaluation of two arguments: |profile->object_path()| and |base::Bind(success_callback, base::Passed(&profile))|. If the latter was evaluated first, then |profile| would be null by the time that the prior was evaluated. The crash stack is: Program received signal SIGSEGV, Segmentation fault. std::string::compare() const () StartsWithASCII() dbus::IsValidObjectPath() dbus::MessageWriter::AppendObjectPath() chromeos::BluetoothProfileManagerClientImpl::RegisterProfile() chromeos::BluetoothAdapterProfileChromeOS::Register() chromeos::BluetoothAdapterChromeOS::UseProfile() chromeos::BluetoothSocketChromeOS::RegisterProfile() BUG=457978 TEST=(see bug, comment #14) R=armansito@chromium.org, jamuraa@chromium.org Review URL: https://codereview.chromium.org/997023002 Cr-Commit-Position: refs/heads/master@{#320139} --- device/bluetooth/bluetooth_adapter_profile_chromeos.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/device/bluetooth/bluetooth_adapter_profile_chromeos.cc b/device/bluetooth/bluetooth_adapter_profile_chromeos.cc index f8003043d632..207c55c4bad2 100644 --- a/device/bluetooth/bluetooth_adapter_profile_chromeos.cc +++ b/device/bluetooth/bluetooth_adapter_profile_chromeos.cc @@ -28,8 +28,9 @@ void BluetoothAdapterProfileChromeOS::Register( new BluetoothAdapterProfileChromeOS(uuid)); VLOG(1) << "Registering profile: " << profile->object_path().value(); + const dbus::ObjectPath& object_path = profile->object_path(); DBusThreadManager::Get()->GetBluetoothProfileManagerClient()->RegisterProfile( - profile->object_path(), + object_path, uuid.canonical_value(), options, base::Bind(success_callback, base::Passed(&profile)), -- 2.11.4.GIT