[Backport] Security bug 1428820 (3/3)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4437791:
Check callback availability in SpdyProxyClientSocket::RunWriteCallback

OnClose() could consume `write_callback_` so it may not be available
when RunWriteCallback() is invoked.

Bug: 1428820
Change-Id: I9a5ade62d67f5bf15e12d0915d1ad6098657ffd4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4437791
Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
Reviewed-by: Adam Rice <ricea@chromium.org>
Commit-Queue: Kenichi Ishibashi <bashi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1131689}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474647
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 4 insertions, 3 deletions

diff --git a/chromium/net/spdy/spdy_proxy_client_socket.cc b/chromium/net/spdy/spdy_proxy_client_socket.cc
index d9b67febc27..bdcf24a1cb6 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket.cc
+++ b/chromium/net/spdy/spdy_proxy_client_socket.cc
@@ -278,10 +278,11 @@ int SpdyProxyClientSocket::GetLocalAddress(IPEndPoint* address) const {
 }
 
 void SpdyProxyClientSocket::RunWriteCallback(int result) {
-  CHECK(write_callback_);
-
   base::WeakPtr<SpdyProxyClientSocket> weak_ptr = weak_factory_.GetWeakPtr();
-  std::move(write_callback_).Run(result);
+  // `write_callback_` might be consumed by OnClose().
+  if (write_callback_) {
+    std::move(write_callback_).Run(result);
+  }
   if (!weak_ptr) {
     // `this` was already destroyed while running `write_callback_`. Must
     // return immediately without touching any field member.