[Backport] CVE-2020-6550: Use after free in IndexedDB

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2311620:
indexeddb: fix crash in WebIDBGetDBNamesCallbacksImpl

Resolve() can end up freeing WebIDBGetDBNamesCallbacksImpl by throwing a
mojo error that deletes the self-owned associated receiver that owns it.
So, don't call any other functions after it.

As the promise resolver can only resolve/reject once, it is safe to
not clear it.

Bug: 1106682
Change-Id: Iea943f3c5c1e57adb6ad399baff49522f54d264b
Commit-Queue: Daniel Murphy <dmurph@chromium.org>
Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Auto-Submit: enne <enne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790857}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 1 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc
index c7b06b4c851..645e5cbf682 100644
--- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc
+++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc
@@ -105,7 +105,6 @@ class WebIDBGetDBNamesCallbacksImpl : public WebIDBCallbacks {
     promise_resolver_->Reject(MakeGarbageCollected<DOMException>(
         DOMExceptionCode::kUnknownError,
         "The databases() promise was rejected."));
-    promise_resolver_.Clear();
   }
 
   void SuccessNamesAndVersionsList(
@@ -129,7 +128,7 @@ class WebIDBGetDBNamesCallbacksImpl : public WebIDBCallbacks {
         ExecutionContext::From(promise_resolver_->GetScriptState()),
         &async_task_id_, "success");
     promise_resolver_->Resolve(name_and_version_list);
-    promise_resolver_.Clear();
+    // Note: Resolve may cause |this| to be deleted.
   }
 
   void SuccessStringList(const Vector<String>&) override { NOTREACHED(); }