[Backport] CVE-2022-4181: Use after free in Forms

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4032526:
Avoid use-after-free in ValidationMessageOverlayDelegate

When ValidationMessageOverlayDelegate calls
ForceSynchronousDocumentInstall, it can somehow cause another validation
overlay to be created and delete the ValidationMessageOverlayDelegate.
This patch avoids additional code from being run inside the deleted
ValidationMessageOverlayDelegate.

(cherry picked from commit a37b66ded21af7ff1442bddd2ec3a0845535b3d6)

Fixed: 1382581
Change-Id: I044f91ecb55c77c4a5c40030b6856fc9a8ac7f6f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4019655
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1071652}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4032526
Auto-Submit: Joey Arhar <jarhar@chromium.org>
Commit-Queue: David Baron <dbaron@chromium.org>
Cr-Commit-Position: refs/branch-heads/5414@{#85}
Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088}
(cherry picked from commit fb2bc66e8483c76ce56d2021e2ff82883bd16f87)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/446487
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

2 files changed, 17 insertions, 0 deletions

diff --git a/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc b/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc
index 33575769b1f..a8a1df886fd 100644
--- a/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc
+++ b/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc
@@ -85,6 +85,8 @@ ValidationMessageOverlayDelegate::~ValidationMessageOverlayDelegate() {
     EventDispatchForbiddenScope::AllowUserAgentEvents allow_events;
     page_->WillBeDestroyed();
   }
+  if (destroyed_ptr_)
+    *destroyed_ptr_ = true;
 }
 
 LocalFrameView& ValidationMessageOverlayDelegate::FrameView() const {
@@ -175,7 +177,18 @@ void ValidationMessageOverlayDelegate::CreatePage(const FrameOverlay& overlay) {
   WriteDocument(data.get());
   float zoom_factor = anchor_->GetDocument().GetFrame()->PageZoomFactor();
   frame->SetPageZoomFactor(zoom_factor);
+
+  // ForceSynchronousDocumentInstall can cause another call to
+  // ValidationMessageClientImpl::ShowValidationMessage, which will hide this
+  // validation message and may even delete this. In order to avoid continuing
+  // when this is destroyed, |destroyed| will be set to true in the destructor.
+  bool destroyed = false;
+  DCHECK(!destroyed_ptr_);
+  destroyed_ptr_ = &destroyed;
   frame->ForceSynchronousDocumentInstall("text/html", data);
+  if (destroyed)
+    return;
+  destroyed_ptr_ = nullptr;
 
   Element& main_message = GetElementById("main-message");
   main_message.setTextContent(message_);
diff --git a/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h b/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h
index 9db786a4fbd..26e96d8ffad 100644
--- a/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h
+++ b/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h
@@ -72,6 +72,10 @@ class CORE_EXPORT ValidationMessageOverlayDelegate
   String sub_message_;
   TextDirection message_dir_;
   TextDirection sub_message_dir_;
+
+  // Used by CreatePage() to determine if this has been deleted in the middle of
+  // the function.
+  bool* destroyed_ptr_ = nullptr;
 };
 
 }  // namespace blink