chore: cherry-pick b7ccc3f6cc from chromium (electron#25897)

ppontes · Electron Bot · web-flow · commit 204f5fbcca93 · 2020-10-14T10:19:49.000+09:00
* chore: cherry-pick b7ccc3f6cc from chromium

* update patches

Co-authored-by: Electron Bot &lt;anonymous@electronjs.org&gt;
diff --git a/patches/chromium/.patches b/patches/chromium/.patches
@@ -133,3 +133,4 @@ cherry-pick-0e61c69ebd47.patch
 cherry-pick-adc731d678c4.patch
 cherry-pick-52dceba66599.patch
 cherry-pick-abc6ab85e704.patch
+avoid_use-after-free.patch
diff --git a/patches/chromium/avoid_use-after-free.patch b/patches/chromium/avoid_use-after-free.patch
@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Bruce Dawson <brucedawson@chromium.org>
+Date: Thu, 17 Sep 2020 22:34:58 +0000
+Subject: Avoid use-after-free
+
+SetNotWaitingForResponse can trigger a message pump which can then free
+the object which |this| points to. This use-after-free can be avoided by
+not dereferencing |this| after the call, by ensuring that calling
+SetNotWaitingForResponse is the last thing done.
+
+(cherry picked from commit e1c5c8442210bccfbc2475c9bc75a9cf99bb259e)
+
+Bug: 1125199
+Change-Id: Ie1289c93112151978e6daaa1d24326770028c529
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407065
+Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
+Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#806839}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416264
+Reviewed-by: Bruce Dawson <brucedawson@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4240@{#816}
+Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
+
+diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
+index 36d84bd8a0a80b9801701c48e863762251a99026..28f2c589e8398f922e155b764870335854a5af7b 100644
+--- a/content/browser/web_contents/web_contents_impl.cc
++++ b/content/browser/web_contents/web_contents_impl.cc
+@@ -3386,10 +3386,11 @@ void WebContentsImpl::SetNotWaitingForResponse() {
+     return;
+ 
+   waiting_for_response_ = false;
+-  if (delegate_)
+-    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
+   for (auto& observer : observers_)
+     observer.DidReceiveResponse();
++
++  if (delegate_)
++    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
+ }
+ 
+ void WebContentsImpl::SendScreenRects() {
+@@ -4487,6 +4488,8 @@ void WebContentsImpl::ReadyToCommitNavigation(
+             : false);
+   }
+ 
++  // LoadingStateChanged must be called last in case it triggers deletion of
++  // |this| due to recursive message pumps.
+   SetNotWaitingForResponse();
+ }
+ 
