mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

fix: heap-use-after-free in tray.popUpContextMenu (#22842)

Browse source
This commit is contained in:
Jeremy Apthorp 2020-03-26 18:30:21 -07:00 committed by GitHub
parent 8ff7a1160a
commit ac501e8194
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
shell/browser/ui/tray_icon_cocoa.mm
View file

@ -181,8 +181,16 @@
useDefaultAccelerator:NO]); useDefaultAccelerator:NO]);
// Hacky way to mimic design of ordinary tray menu. // Hacky way to mimic design of ordinary tray menu.
[statusItem_ setMenu:[menuController menu]]; [statusItem_ setMenu:[menuController menu]];
// -performClick: is a blocking call, which will run the task loop inside
// itself. This can potentially include running JS, which can result in
// this object being released. We take a temporary reference here to make
// sure we stay alive long enough to successfully return from this
// function.
// TODO(nornagon/codebytere): Avoid nesting task loops here.
[self retain];
[[statusItem_ button] performClick:self]; [[statusItem_ button] performClick:self];
[statusItem_ setMenu:[menuController_ menu]]; [statusItem_ setMenu:[menuController_ menu]];
[self release];
return; return;
} }

7
spec-main/api-tray-spec.ts
View file

@ -73,6 +73,13 @@ describe('tray module', () => {
}); });
tray.popUpContextMenu(); tray.popUpContextMenu();
}); });
it('can be called with a menu', () => {
const menu = Menu.buildFromTemplate([{ label: 'Test' }]);
expect(() => {
tray.popUpContextMenu(menu);
}).to.not.throw();
});
}); });
describe('tray.closeContextMenu()', () => { describe('tray.closeContextMenu()', () => {