[Backport] CVE-2019-1369356-based

IndexedDB: Unregister cursors from transactions more consistently.

IndexedDBCursor now calls IndexedDBTransaction::UnregisterOpenCursor()
in Close(), which is called by the destructor.

The previous setup missed an edge case where calling
IndexedDBCursor::Close() directly would not unregister the cursor. This
behavior was relied upon in IndexedDBTransaction::CloseOpenCursors(),
but was not intended at other callsites.

(cherry picked from commit 23303e6f178ca2993bfde7114e6bdf48dd0eff9d)

Bug: 1005753
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#699937}
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#872}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I9a16b513715e05b3c85e80f9103305f771590a45

1 files changed, 6 insertions, 2 deletions

diff --git a/chromium/content/browser/indexed_db/indexed_db_transaction.cc b/chromium/content/browser/indexed_db/indexed_db_transaction.cc
index 5040dddf49f..b3867a21b49 100644
--- a/chromium/content/browser/indexed_db/indexed_db_transaction.cc
+++ b/chromium/content/browser/indexed_db/indexed_db_transaction.cc
@@ -460,9 +460,13 @@ void IndexedDBTransaction::Timeout() {
 
 void IndexedDBTransaction::CloseOpenCursors() {
   IDB_TRACE1("IndexedDBTransaction::CloseOpenCursors", "txn.id", id());
-  for (auto* cursor : open_cursors_)
-    cursor->Close();
+
+  // IndexedDBCursor::Close() indirectly mutates |open_cursors_|, when it calls
+  // IndexedDBTransaction::UnregisterOpenCursor().
+  std::set<IndexedDBCursor*> open_cursors = std::move(open_cursors_);
   open_cursors_.clear();
+  for (auto* cursor : open_cursors)
+    cursor->Close();
 }
 
 void IndexedDBTransaction::AddPendingObserver(