chore: cherry-pick b7ccc3f6cc from chromium (#25896)

* chore: cherry-pick b7ccc3f6cc from chromium * update patches Co-authored-by: Electron Bot <anonymous@electronjs.org>
2026-04-10 03:01:51 -04:00 · 2020-10-13 04:38:21 +02:00
parent 5e6c03c5c5
commit 40f0c01e15
2 changed files with 51 additions and 0 deletions
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -140,3 +140,4 @@ cherry-pick-814a27f8522b.patch
 cherry-pick-adc731d678c4.patch
 cherry-pick-52dceba66599.patch
 cherry-pick-abc6ab85e704.patch
+avoid_use-after-free.patch
--- a/patches/chromium/avoid_use-after-free.patch
+++ b/patches/chromium/avoid_use-after-free.patch
@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Bruce Dawson <brucedawson@chromium.org>
+Date: Thu, 17 Sep 2020 22:34:58 +0000
+Subject: Avoid use-after-free
+
+SetNotWaitingForResponse can trigger a message pump which can then free
+the object which |this| points to. This use-after-free can be avoided by
+not dereferencing |this| after the call, by ensuring that calling
+SetNotWaitingForResponse is the last thing done.
+
+(cherry picked from commit e1c5c8442210bccfbc2475c9bc75a9cf99bb259e)
+
+Bug: 1125199
+Change-Id: Ie1289c93112151978e6daaa1d24326770028c529
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407065
+Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
+Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#806839}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416264
+Reviewed-by: Bruce Dawson <brucedawson@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4240@{#816}
+Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
+
+diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
+index 5b4f85cfadac54fa81a357ebece6f9b274066a29..d300755ec1402d7bd0fb9488a2829962b98853cb 100644
+--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc
+@@ -3409,10 +3409,11 @@ void WebContentsImpl::SetNotWaitingForResponse() {
+     return;
+ 
+   waiting_for_response_ = false;
+-  if (delegate_)
+-    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
+   for (auto& observer : observers_)
+     observer.DidReceiveResponse();
+
+  if (delegate_)
+    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
+ }
+ 
+ void WebContentsImpl::SendScreenRects() {
+@@ -4526,6 +4527,8 @@ void WebContentsImpl::ReadyToCommitNavigation(
+             : false);
+   }
+ 
+  // LoadingStateChanged must be called last in case it triggers deletion of
+  // |this| due to recursive message pumps.
+   SetNotWaitingForResponse();
+ }
+