[Backport] Fix for CVE-2019-5826

Fixed force close during pending connection open

During a force close of the database, the connections to that database
are iterated and force closed. The iteration method was not safe to
modification, and if there was a pending connection waiting to open,
that request would execute once all the other connections were
destroyed and create a new connection.

This change changes the iteration method to account for new connections
that are added during the iteration.

R=cmp@chromium.org

Bug: 941746
Change-Id: Idae4763a6249ece994eab485fbd40aa692a36052
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 3 insertions, 3 deletions

diff --git a/chromium/content/browser/indexed_db/indexed_db_database.cc b/chromium/content/browser/indexed_db/indexed_db_database.cc
index 85b6f9d6911..8418828b211 100644
--- a/chromium/content/browser/indexed_db/indexed_db_database.cc
+++ b/chromium/content/browser/indexed_db/indexed_db_database.cc
@@ -2043,10 +2043,10 @@ void IndexedDBDatabase::DeleteDatabase(
 void IndexedDBDatabase::ForceClose() {
   // IndexedDBConnection::ForceClose() may delete this database, so hold ref.
   scoped_refptr<IndexedDBDatabase> protect(this);
-  auto it = connections_.begin();
-  while (it != connections_.end()) {
-    IndexedDBConnection* connection = *it++;
+  while (!connections_.empty()) {
+    IndexedDBConnection* connection = *connections_.begin();
     connection->ForceClose();
+    connections_.erase(connection);
   }
   DCHECK(connections_.empty());
 }