chromium/src
0
Fork 0
Code Activity

[DanglingPtr] Fix dangling pointer in IPCFuzzingTest

Browse Source 
This CL resets `other_` before IPC::Channel is destroyed.

Bug: 1291138
Change-Id: I06f1d85232cd2488eec5c8875ef2c58c5b6d064a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5123798
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Hyowon Kim <hyowon@igalia.com>
Cr-Commit-Position: refs/heads/main@{#1238914}
This commit is contained in:
Hyowon Kim
2023-12-19 02:25:04 +00:00
committed by Chromium LUCI CQ
parent b170957938
commit 3c8bc7f1ed
1 changed files with 7 additions and 4 deletions

11
ipc/ipc_fuzzing_tests.cc

@ -143,11 +143,11 @@ TEST(IPCMessageIntegrity, DISABLED_ReadVectorTooLarge3) {
class SimpleListener : public IPC::Listener {
public:
SimpleListener() : other_(nullptr) {}
void Init(IPC::Sender* s) {
other_ = s;
}
void Init(IPC::Sender* s) { other_ = s; }
void Reset() { other_ = nullptr; }
protected:
raw_ptr<IPC::Sender, DanglingUntriaged> other_;
raw_ptr<IPC::Sender> other_;
};
enum {
@ -298,6 +298,7 @@ TEST_F(IPCFuzzingTest, SanityTest) {
sender()->Send(msg);
EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
listener.Reset();
EXPECT_TRUE(WaitForClientShutdown());
DestroyChannel();
}
@ -323,6 +324,7 @@ TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
sender()->Send(msg);
EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
listener.Reset();
EXPECT_TRUE(WaitForClientShutdown());
DestroyChannel();
}
@ -354,6 +356,7 @@ TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
sender()->Send(msg);
EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
listener.Reset();
EXPECT_TRUE(WaitForClientShutdown());
DestroyChannel();
}