From d584ce81c98f0b103fe4499bbbc626993d2dbbed Mon Sep 17 00:00:00 2001 From: Steven Michaud Date: Wed, 17 Jun 2015 12:59:34 -0500 Subject: [PATCH] Bug 1167069 - Watch out for deletion of current frame. r=jmathies --- layout/generic/nsPluginFrame.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/layout/generic/nsPluginFrame.cpp b/layout/generic/nsPluginFrame.cpp index 3a3c81b96172..05599ba8db02 100644 --- a/layout/generic/nsPluginFrame.cpp +++ b/layout/generic/nsPluginFrame.cpp @@ -607,9 +607,19 @@ nsPluginFrame::CallSetWindow(bool aCheckIsHidden) if (aCheckIsHidden && IsHidden()) return NS_ERROR_FAILURE; + // Calling either nsPluginInstanceOwner::FixUpPluginWindow() (here, + // on OS X) or SetWindow() (below, on all platforms) can destroy this + // frame. (FixUpPluginWindow() calls SetWindow()). So grab a safe + // reference to mInstanceOwner which we can use below, if needed. + nsRefPtr instanceOwnerRef(mInstanceOwner); + // refresh the plugin port as well #ifdef XP_MACOSX mInstanceOwner->FixUpPluginWindow(nsPluginInstanceOwner::ePluginPaintEnable); + // Bail now if our frame has been destroyed. + if (!instanceOwnerRef->GetFrame()) { + return NS_ERROR_FAILURE; + } #endif window->window = mInstanceOwner->GetPluginPort(); @@ -641,10 +651,6 @@ nsPluginFrame::CallSetWindow(bool aCheckIsHidden) window->width = intBounds.width / intScaleFactor; window->height = intBounds.height / intScaleFactor; - // Calling SetWindow might destroy this frame. We need to use the instance - // owner to clean up so hold a ref. - nsRefPtr instanceOwnerRef(mInstanceOwner); - // This will call pi->SetWindow and take care of window subclassing // if needed, see bug 132759. Calling SetWindow can destroy this frame // so check for that before doing anything else with this frame's memory.