[Backport] Security bug 1185482

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2779886:
x11/ozone: fix two edge cases

WindowTreeHost::OnHostMovedInPixels() may trigger a nested message
loop (tab dragging), which when the stack unravels means this may
be deleted. This adds an early out if this happens.

X11WholeScreenMoveLoop has a similar issue, in so far as notifying
the delegate may delete this.

BUG=1185482
TEST=WindowTreeHostPlatform.DeleteHostFromOnHostMovedInPixels

(cherry picked from commit 5e3a738b1204941aab9f15c0eb3d06e20fefd96e)

Change-Id: Ieca1c90b3e4358da50b332abe2941fdbb50c5c25
Reviewed-by: Thomas Anderson <thomasanderson@chromium.org>
Commit-Queue: Scott Violet <sky@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#860852}
Cr-Commit-Position: refs/branch-heads/4389@{#1583}
Cr-Branched-From: 9251c5db2b6d5a59fe4eac7aafa5fed37c139bb7-refs/heads/master@{#843830}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>

4 files changed, 16 insertions, 1 deletions

diff --git a/chromium/ui/aura/window_tree_host.cc b/chromium/ui/aura/window_tree_host.cc
index eb60ca912ba..ee6191b71da 100644
--- a/chromium/ui/aura/window_tree_host.cc
+++ b/chromium/ui/aura/window_tree_host.cc
@@ -124,6 +124,10 @@ ui::EventSink* WindowTreeHost::event_sink() {
   return dispatcher_.get();
 }
 
+base::WeakPtr<WindowTreeHost> WindowTreeHost::GetWeakPtr() {
+  return weak_factory_.GetWeakPtr();
+}
+
 gfx::Transform WindowTreeHost::GetRootTransform() const {
   gfx::Transform transform;
   transform.Scale(device_scale_factor_, device_scale_factor_);
diff --git a/chromium/ui/aura/window_tree_host.h b/chromium/ui/aura/window_tree_host.h
index 77c28cfecc1..15a3f0ed8de 100644
--- a/chromium/ui/aura/window_tree_host.h
+++ b/chromium/ui/aura/window_tree_host.h
@@ -90,6 +90,8 @@ class AURA_EXPORT WindowTreeHost : public ui::internal::InputMethodDelegate,
 
   ui::Compositor* compositor() { return compositor_.get(); }
 
+  base::WeakPtr<WindowTreeHost> GetWeakPtr();
+
   // Gets/Sets the root window's transform.
   virtual gfx::Transform GetRootTransform() const;
   virtual void SetRootTransform(const gfx::Transform& transform);
diff --git a/chromium/ui/aura/window_tree_host_platform.cc b/chromium/ui/aura/window_tree_host_platform.cc
index ae7a71ac0c4..039befdfd81 100644
--- a/chromium/ui/aura/window_tree_host_platform.cc
+++ b/chromium/ui/aura/window_tree_host_platform.cc
@@ -192,9 +192,14 @@ void WindowTreeHostPlatform::OnBoundsChanged(const gfx::Rect& new_bounds) {
   float current_scale = compositor()->device_scale_factor();
   float new_scale = ui::GetScaleFactorForNativeView(window());
   gfx::Rect old_bounds = bounds_;
+  auto weak_ref = GetWeakPtr();
   bounds_ = new_bounds;
-  if (bounds_.origin() != old_bounds.origin())
+  if (bounds_.origin() != old_bounds.origin()) {
     OnHostMovedInPixels(bounds_.origin());
+    // Changing the bounds may destroy this.
+    if (!weak_ref)
+      return;
+  }
   if (pending_local_surface_id_.is_valid() ||
       bounds_.size() != old_bounds.size() || current_scale != new_scale) {
     auto local_surface_id = bounds_.size() == pending_size_
diff --git a/chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc b/chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc
index d6b086c11f8..dc3a403c01c 100644
--- a/chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc
+++ b/chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc
@@ -59,9 +59,13 @@ X11WholeScreenMoveLoop::~X11WholeScreenMoveLoop() {}
 void X11WholeScreenMoveLoop::DispatchMouseMovement() {
   if (!last_motion_in_screen_)
     return;
+  auto weak_ref = weak_factory_.GetWeakPtr();
   delegate_->OnMouseMovement(last_motion_in_screen_->location(),
                              last_motion_in_screen_->flags(),
                              last_motion_in_screen_->time_stamp());
+  // The delegate may delete this during dispatch.
+  if (!weak_ref)
+    return;
   last_motion_in_screen_.reset();
 }