[Backport] Security bug 1090543

Backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2254119:
Guard against UaF in NavigationRequest

This CL adds a check in NavigationRequest::OnWillProcessResponseProcessed to
return early if the call to ReadyToCommit leads to the deletion of the
NavigationRequest.

Bug: 1090543
Change-Id: Ida21db80caef1772f2f21c5d2449d3efe4dd1bb1
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 7 insertions, 0 deletions

diff --git a/chromium/content/browser/frame_host/navigation_request.cc b/chromium/content/browser/frame_host/navigation_request.cc
index f6bef176125..cc38b2ebeab 100644
--- a/chromium/content/browser/frame_host/navigation_request.cc
+++ b/chromium/content/browser/frame_host/navigation_request.cc
@@ -3010,11 +3010,18 @@ void NavigationRequest::OnWillProcessResponseProcessed(
   DCHECK(processing_navigation_throttle_);
   processing_navigation_throttle_ = false;
   if (result.action() == NavigationThrottle::PROCEED) {
+    base::WeakPtr<NavigationRequest> weak_self(weak_factory_.GetWeakPtr());
     // If the navigation is done processing the response, then it's ready to
     // commit. Inform observers that the navigation is now ready to commit,
     // unless it is not set to commit (204/205s/downloads).
     if (render_frame_host_)
       ReadyToCommitNavigation(false);
+
+    // The call above might block on showing a user dialog. The interaction of
+    // the user with this dialog might result in the WebContents owning this
+    // NavigationRequest to be destroyed. Return if this is the case.
+    if (!weak_self)
+      return;
   } else {
     state_ = CANCELING;
   }