Provide a safer URLLoader ReadResponseBody API

ppapi/cpp/url_loader.h

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef PPAPI_CPP_URL_LOADER_H_
 #define PPAPI_CPP_URL_LOADER_H_
 
+#include <vector>
+
 #include "ppapi/c/pp_stdint.h"
+#include "ppapi/cpp/completion_callback.h"
 #include "ppapi/cpp/resource.h"
 
 /// @file
 /// This file defines the API for loading URLs.
 namespace pp {
 
 class CompletionCallback;
 class InstanceHandle;
 class URLRequestInfo;
 class URLResponseInfo;
@@ skipping 98 matching lines @@
   /// @return A <code>URLResponseInfo</code> corresponding to the
   /// <code>URLResponseInfo</code> if successful, an <code>is_null</code>
   /// object if the loader is not a valid resource or if Open() has not been
   /// called.
   URLResponseInfo GetResponseInfo() const;
 
   /// This function is used to read the response body. The size of the buffer
   /// must be large enough to hold the specified number of bytes to read.
   /// This function might perform a partial read.
   ///
+  /// <strong>Caveat:</strong> This ReadResponseBody() is potentially unsafe if
+  /// you're using a CompletionCallbackFactory to scope callbacks to the
+  /// lifetime of your class.  When your class goes out of scope, the callback
+  /// factory will not actually cancel the callback, but will rather just skip
+  /// issuing the callback on your class.  This means that if the UrlLoader
+  /// object outlives your class (if you made a copy saved somewhere else, for
+  /// example), then the browser will still try to write into your buffer when
+  /// the asynchronous read completes, potentially causing a crash.
+  ///
+  /// See the other version of ReadResponseBody() which avoids this problem by
+  /// writing into CompletionCallbackWithOutput, where the output buffer is
+  /// automatically managed by the callback.
+  ///
   /// @param[in,out] buffer A pointer to the buffer for the response body.
   /// @param[in] bytes_to_read The number of bytes to read.
   /// @param[in] cc A <code>CompletionCallback</code> to run on asynchronous
   /// completion. The callback will run if the bytes (full or partial) are
   /// read or an error occurs asynchronously. This callback will run only if
   /// this function returns <code>PP_OK_COMPLETIONPENDING</code>.
   ///
   /// @return An int32_t containing the number of bytes read or an error code
   /// from <code>pp_errors.h</code>.
   int32_t ReadResponseBody(void* buffer,
                            int32_t bytes_to_read,
                            const CompletionCallback& cc);
 
+  /// This function is used to read the responsed body. A PP_ArrayOutput must be
+  /// provided so that output will be stored in its allocated buffer.  This
+  /// function might perform a partial read.
+  ///
+  /// @param[in] max_read_length The number of bytes to read.
+  /// @param[in] cc A <code>CompletionCallbackWithOutput</code> to hold a
+  /// PP_ArrayOutput for output, and run on asynchronous CompletionCallback.
+  /// ReadResponseBody(). The callback will run if the bytes (full or partial)
+  /// are read or an error occurs asynchronously. This callback will run only if
+  /// this function returns <code>PP_OK_COMPLETIONPENDING</code>.
+  ///
+  /// @return An int32_t containing the number of bytes read or an error code
+  /// from <code>pp_errors.h</code>.
+  int32_t ReadResponseBody(
+      int32_t max_read_length,
+      const CompletionCallbackWithOutput< std::vector<char> >& cc);
+
   /// This function is used to wait for the response body to be completely
   /// downloaded to the file provided by the GetBodyAsFileRef() in the current
   /// <code>URLResponseInfo</code>. This function is only used if
   /// <code>PP_URLREQUESTPROPERTY_STREAMTOFILE</code> was set on the
   /// <code>URLRequestInfo</code> passed to Open().
   ///
   /// @param[in] cc A <code>CompletionCallback</code> to run on asynchronous
   /// completion. This callback will run when body is downloaded or an error
   /// occurs after FinishStreamingToFile() returns
   /// <code>PP_OK_COMPLETIONPENDING</code>.
   ///
   /// @return An int32_t containing the number of bytes read or an error code
   /// from <code>pp_errors.h</code>.
   int32_t FinishStreamingToFile(const CompletionCallback& cc);
 
   /// This function is used to cancel any pending IO and close the URLLoader
   /// object. Any pending callbacks will still run, reporting
   /// <code>PP_ERROR_ABORTED</code> if pending IO was interrupted.  It is NOT
   /// valid to call Open() again after a call to this function.
   ///
   /// <strong>Note:</strong> If the <code>URLLoader</code> object is destroyed
   /// while it is still open, then it will be implicitly closed so you are not
   /// required to call Close().
   void Close();
+
+ private:
+  struct CallbackData1_0 {
+    PP_ArrayOutput output;
+    char* temp_buffer;
+    PP_CompletionCallback original_callback;
+  };
+
+  // Provide backwards-compatability for older ReadResponseBody versions.
+  // Converts the old-style "char*" output buffer of 1.0 to the new
+  // "PP_ArrayOutput" interface in 1.1.
+  //
+  // This takes a heap-allocated CallbackData1_0 struct passed as the user data
+  // and deletes it when the call completes.
+  static void CallbackConverter(void* user_data, int32_t result);
 };
 
 }  // namespace pp
 
 #endif  // PPAPI_CPP_URL_LOADER_H_