chore: cherry-pick b7ccc3f6cc from chromium (#25893)

* chore: cherry-pick b7ccc3f6cc from chromium * update patches * update patches Co-authored-by: Electron Bot <anonymous@electronjs.org> Co-authored-by: Charles Kerr <ckerr@github.com>
2026-04-10 03:01:51 -04:00 · 2020-10-14 03:19:58 +02:00
parent fe94fd029f
commit 25674a40bd
2 changed files with 51 additions and 0 deletions
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -103,3 +103,4 @@ allow_focus_to_move_into_an_editable_combobox_s_listbox.patch
 reconnect_p2p_socket_dispatcher_if_network_service_dies.patch
 fix_properly_honor_printing_page_ranges.patch
 cherry-pick-8629cd7f8af3.patch
+avoid_use-after-free.patch
--- a/patches/chromium/avoid_use-after-free.patch
+++ b/patches/chromium/avoid_use-after-free.patch
@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Bruce Dawson <brucedawson@chromium.org>
+Date: Thu, 17 Sep 2020 22:34:58 +0000
+Subject: Avoid use-after-free
+
+SetNotWaitingForResponse can trigger a message pump which can then free
+the object which |this| points to. This use-after-free can be avoided by
+not dereferencing |this| after the call, by ensuring that calling
+SetNotWaitingForResponse is the last thing done.
+
+(cherry picked from commit e1c5c8442210bccfbc2475c9bc75a9cf99bb259e)
+
+Bug: 1125199
+Change-Id: Ie1289c93112151978e6daaa1d24326770028c529
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407065
+Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
+Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#806839}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416264
+Reviewed-by: Bruce Dawson <brucedawson@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4240@{#816}
+Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
+
+diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
+index 279875a1c109568ec8e658d51a55efdea998dd7d..a7c76413b86fac18f6f1f54c87e67218f094e6b2 100644
+--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc
+@@ -3561,10 +3561,11 @@ void WebContentsImpl::SetNotWaitingForResponse() {
+     return;
+ 
+   waiting_for_response_ = false;
+-  if (delegate_)
+-    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
+   for (auto& observer : observers_)
+     observer.DidReceiveResponse();
+
+  if (delegate_)
+    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
+ }
+ 
+ void WebContentsImpl::SendScreenRects() {
+@@ -4533,6 +4534,8 @@ void WebContentsImpl::ReadyToCommitNavigation(
+             : false);
+   }
+ 
+  // LoadingStateChanged must be called last in case it triggers deletion of
+  // |this| due to recursive message pumps.
+   SetNotWaitingForResponse();
+ }
+