[Backport] Fix for CVE-2019-5808

Manual backport from scoped_refptr to WTF::RefPtr
Make ElementResolveContext hold a ref to the root element's ComputedStyle

Bug: 947029
Change-Id: I94fc947269bdeb868df6439c70bf9dbc8f24ab4b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 2 deletions

diff --git a/chromium/third_party/WebKit/Source/core/css/resolver/ElementResolveContext.h b/chromium/third_party/WebKit/Source/core/css/resolver/ElementResolveContext.h
index a28c1147c27..34f383a86c0 100644
--- a/chromium/third_party/WebKit/Source/core/css/resolver/ElementResolveContext.h
+++ b/chromium/third_party/WebKit/Source/core/css/resolver/ElementResolveContext.h
@@ -45,7 +45,7 @@ class CORE_EXPORT ElementResolveContext {
 
   Element* element() const { return m_element; }
   const ContainerNode* parentNode() const { return m_parentNode; }
-  const ComputedStyle* rootElementStyle() const { return m_rootElementStyle; }
+  const ComputedStyle* rootElementStyle() const { return m_rootElementStyle.get(); }
   const ComputedStyle* parentStyle() const {
     return parentNode() ? parentNode()->computedStyle() : nullptr;
   }
@@ -57,7 +57,7 @@ class CORE_EXPORT ElementResolveContext {
  private:
   Member<Element> m_element;
   Member<ContainerNode> m_parentNode;
-  const ComputedStyle* m_rootElementStyle;
+  RefPtr<const ComputedStyle> m_rootElementStyle;
   EInsideLink m_elementLinkState;
   bool m_distributedToInsertionPoint;
 };