[Backport] Security bug 1428820 (2/3)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4394863:
Check SpdyProxyClientSocket is alive after write callback

To ensure that we don't use any member field.

Bug: 1428820
Change-Id: Icf6677c652a47dc2fd2d01675e94cda031a015f2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4394863
Commit-Queue: Kenichi Ishibashi <bashi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1125634}
(cherry picked from commit b71541b22ca19d5c3a7c01fedffe521b26577b72)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474646
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 7 insertions, 0 deletions

diff --git a/chromium/net/spdy/spdy_proxy_client_socket.cc b/chromium/net/spdy/spdy_proxy_client_socket.cc
index 173fc5cdbb6..d9b67febc27 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket.cc
+++ b/chromium/net/spdy/spdy_proxy_client_socket.cc
@@ -279,7 +279,14 @@ int SpdyProxyClientSocket::GetLocalAddress(IPEndPoint* address) const {
 
 void SpdyProxyClientSocket::RunWriteCallback(int result) {
   CHECK(write_callback_);
+
+  base::WeakPtr<SpdyProxyClientSocket> weak_ptr = weak_factory_.GetWeakPtr();
   std::move(write_callback_).Run(result);
+  if (!weak_ptr) {
+    // `this` was already destroyed while running `write_callback_`. Must
+    // return immediately without touching any field member.
+    return;
+  }
 
   if (end_stream_state_ == EndStreamState::kEndStreamReceived) {
     base::ThreadTaskRunnerHandle::Get()->PostTask(