[Backport] CVE-2023-0702: Type Confusion in Data Transfer

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3645670:
Ensure WFWI::current_drag_data_ is null at the end of a drag.

This is a tentative fix for the DCHECK bugs below.  The bugs appeared at
two different times, but they share the common symptom that
WebFrameWidgetImpl::DragTargetDragEnter very infrequently encounters a
non-null current_drag_data_.  We were not able to repro the problem.

This tentative fix assumes that an early return on a drag-leave may
be accidentally skipping setting the state to null.

Bug: 1316301, 1367848
Change-Id: Ib6e9e000271515a0659a6780a59467db149d3b3f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3645670
Commit-Queue: Mustaq Ahmed <mustaq@chromium.org>
Reviewed-by: Robert Flack <flackr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1075157}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460499
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 1 insertions, 0 deletions

diff --git a/chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc b/chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc
index fb67491ced3..b25701aa1b7 100644
--- a/chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc
+++ b/chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc
@@ -1066,6 +1066,7 @@ void WebFrameWidgetImpl::CancelDrag() {
   if (!doing_drag_and_drop_)
     return;
   GetPage()->GetDragController().DragEnded();
+  current_drag_data_ = nullptr;
   doing_drag_and_drop_ = false;
 }