From 3ff5e4ab3984a6d0ddabb951e205637bc35e3739 Mon Sep 17 00:00:00 2001
From: "dgrogan@chromium.org"
 <dgrogan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed, 24 Jul 2013 23:09:44 +0000
Subject: [PATCH] Fix IDB browser crash when renderer is killed because of
 malformed IPC.

BUG=263178

Review URL: https://chromiumcodereview.appspot.com/20071005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@213539 0039d316-1c4b-4281-b951-d872f2087c98
---
 content/browser/indexed_db/indexed_db_callbacks.cc       | 2 ++
 content/browser/indexed_db/indexed_db_dispatcher_host.cc | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/content/browser/indexed_db/indexed_db_callbacks.cc b/content/browser/indexed_db/indexed_db_callbacks.cc
index 1db9747e7e75..46270db75311 100644
--- a/content/browser/indexed_db/indexed_db_callbacks.cc
+++ b/content/browser/indexed_db/indexed_db_callbacks.cc
@@ -118,6 +118,8 @@ void IndexedDBCallbacks::OnUpgradeNeeded(
   dispatcher_host_->RegisterTransactionId(host_transaction_id_, origin_url_);
   int32 ipc_database_id =
       dispatcher_host_->Add(connection.release(), ipc_thread_id_, origin_url_);
+  if (ipc_database_id < 0)
+    return;
   ipc_database_id_ = ipc_database_id;
   IndexedDBMsg_CallbacksUpgradeNeeded_Params params;
   params.ipc_thread_id = ipc_thread_id_;
diff --git a/content/browser/indexed_db/indexed_db_dispatcher_host.cc b/content/browser/indexed_db/indexed_db_dispatcher_host.cc
index 2b4c64f0c2a3..e926a9073d76 100644
--- a/content/browser/indexed_db/indexed_db_dispatcher_host.cc
+++ b/content/browser/indexed_db/indexed_db_dispatcher_host.cc
@@ -121,8 +121,9 @@ int32 IndexedDBDispatcherHost::Add(IndexedDBConnection* connection,
                                    int32 ipc_thread_id,
                                    const GURL& origin_url) {
   if (!database_dispatcher_host_) {
+    connection->Close();
     delete connection;
-    return 0;
+    return -1;
   }
   int32 ipc_database_id = database_dispatcher_host_->map_.Add(connection);
   Context()->ConnectionOpened(origin_url, connection);
@@ -262,6 +263,8 @@ void IndexedDBDispatcherHost::OnIDBFactoryDeleteDatabase(
 void IndexedDBDispatcherHost::FinishTransaction(int64 host_transaction_id,
                                                 bool committed) {
   DCHECK(indexed_db_context_->TaskRunner()->RunsTasksOnCurrentThread());
+  if (!database_dispatcher_host_)
+    return;
   TransactionIDToURLMap& transaction_url_map =
       database_dispatcher_host_->transaction_url_map_;
   TransactionIDToSizeMap& transaction_size_map =
-- 
2.11.4.GIT