[Backport] CVE-2022-0460: Use after free in Window Dialog

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3247534:
Cancel WebPagePopup immediately on WebViewImpl::Close.

If we have a WebPagePopup cancel it immediately. Detaching it from
the layout was the handled via Detaching the layout nodes but that
is slightly complex. Call cancel before we destroy the layout tree.

BUG=1250227

Change-Id: I8707e59a3c99a57a16d8b8d8cb35213a33365833
Reviewed-by: Stefan Zager <szager@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/main@{#955417}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 51 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/core/page/chrome_client_impl.cc b/chromium/third_party/blink/renderer/core/page/chrome_client_impl.cc
index abcd00fc0ab..3f3e8ccf983 100644
--- a/chromium/third_party/blink/renderer/core/page/chrome_client_impl.cc
+++ b/chromium/third_party/blink/renderer/core/page/chrome_client_impl.cc
@@ -168,7 +168,9 @@ class CompositorAnimationTimeline;
 ChromeClientImpl::ChromeClientImpl(WebViewImpl* web_view)
     : web_view_(web_view),
       cursor_overridden_(false),
-      did_request_non_empty_tool_tip_(false) {}
+      did_request_non_empty_tool_tip_(false) {
+  DCHECK(web_view_);
+}
 
 ChromeClientImpl::~ChromeClientImpl() {
   DCHECK(file_chooser_queue_.IsEmpty());
@@ -185,10 +187,13 @@ WebViewImpl* ChromeClientImpl::GetWebView() const {
 }
 
 void ChromeClientImpl::ChromeDestroyed() {
-  // Our lifetime is bound to the WebViewImpl.
+  // Clear |web_view_| since it is refcounted and this class is a GC'd object
+  // and may outlive the WebViewImpl.
+  web_view_ = nullptr;
 }
 
 void ChromeClientImpl::SetWindowRect(const IntRect& r, LocalFrame& frame) {
+  DCHECK(web_view_);
   DCHECK_EQ(&frame, web_view_->MainFrameImpl()->GetFrame());
   web_view_->MainFrameViewWidget()->SetWindowRect(r);
 }
@@ -200,10 +205,12 @@ IntRect ChromeClientImpl::RootWindowRect(LocalFrame& frame) {
 }
 
 void ChromeClientImpl::FocusPage() {
+  DCHECK(web_view_);
   web_view_->Focus();
 }
 
 void ChromeClientImpl::DidFocusPage() {
+  DCHECK(web_view_);
   if (web_view_->Client())
     web_view_->Client()->DidFocus();
 }
@@ -215,10 +222,12 @@ bool ChromeClientImpl::CanTakeFocus(mojom::blink::FocusType) {
 }
 
 void ChromeClientImpl::TakeFocus(mojom::blink::FocusType type) {
+  DCHECK(web_view_);
   web_view_->TakeFocus(type == mojom::blink::FocusType::kBackward);
 }
 
 void ChromeClientImpl::SetKeyboardFocusURL(Element* new_focus_element) {
+  DCHECK(web_view_);
   KURL focus_url;
   if (new_focus_element && new_focus_element->IsLiveLink() &&
       new_focus_element->ShouldHaveFocusAppearance())
@@ -237,6 +246,7 @@ void ChromeClientImpl::StartDragging(LocalFrame* frame,
 }
 
 bool ChromeClientImpl::AcceptsLoadDrops() const {
+  DCHECK(web_view_);
   return web_view_->GetRendererPreferences().can_accept_load_drops;
 }
 
@@ -248,6 +258,7 @@ Page* ChromeClientImpl::CreateWindowDelegate(
     network::mojom::blink::WebSandboxFlags sandbox_flags,
     const SessionStorageNamespaceId& session_storage_namespace_id,
     bool& consumed_user_gesture) {
+  DCHECK(web_view_);
   if (!web_view_->Client())
     return nullptr;
 
@@ -272,6 +283,7 @@ void ChromeClientImpl::DidOverscroll(
     const gfx::Vector2dF& accumulated_overscroll,
     const gfx::PointF& position_in_viewport,
     const gfx::Vector2dF& velocity_in_viewport) {
+  DCHECK(web_view_);
   if (!web_view_->does_composite())
     return;
   // TODO(darin): Change caller to pass LocalFrame.
@@ -304,6 +316,7 @@ void ChromeClientImpl::Show(const blink::LocalFrameToken& opener_frame_token,
                             NavigationPolicy navigation_policy,
                             const IntRect& initial_rect,
                             bool user_gesture) {
+  DCHECK(web_view_);
   web_view_->Show(opener_frame_token, navigation_policy, initial_rect,
                   user_gesture);
 }
@@ -342,6 +355,7 @@ void ChromeClientImpl::AddMessageToConsole(LocalFrame* local_frame,
 }
 
 bool ChromeClientImpl::CanOpenBeforeUnloadConfirmPanel() {
+  DCHECK(web_view_);
   return !!web_view_->Client();
 }
 
@@ -366,6 +380,7 @@ void ChromeClientImpl::SetBeforeUnloadConfirmPanelResultForTesting(
 }
 
 void ChromeClientImpl::CloseWindowSoon() {
+  DCHECK(web_view_);
   web_view_->CloseWindowSoon();
 }
 
@@ -420,10 +435,12 @@ bool ChromeClientImpl::OpenJavaScriptPromptDelegate(LocalFrame* frame,
   return success;
 }
 bool ChromeClientImpl::TabsToLinks() {
+  DCHECK(web_view_);
   return web_view_->TabsToLinks();
 }
 
 void ChromeClientImpl::InvalidateContainer() {
+  DCHECK(web_view_);
   web_view_->InvalidateContainer();
 }
 
@@ -482,17 +499,20 @@ const display::ScreenInfos& ChromeClientImpl::GetScreenInfos(
 void ChromeClientImpl::OverrideVisibleRectForMainFrame(
     LocalFrame& frame,
     IntRect* visible_rect) const {
+  DCHECK(web_view_);
   DCHECK(frame.IsMainFrame());
   return web_view_->GetDevToolsEmulator()->OverrideVisibleRect(
       IntRect(frame.GetWidgetForLocalRoot()->ViewRect()).Size(), visible_rect);
 }
 
 float ChromeClientImpl::InputEventsScaleForEmulation() const {
+  DCHECK(web_view_);
   return web_view_->GetDevToolsEmulator()->InputEventsScaleForEmulation();
 }
 
 void ChromeClientImpl::ContentsSizeChanged(LocalFrame* frame,
                                            const IntSize& size) const {
+  DCHECK(web_view_);
   web_view_->DidChangeContentsSize();
 
   WebLocalFrameImpl* webframe = WebLocalFrameImpl::FromFrame(frame);
@@ -500,41 +520,50 @@ void ChromeClientImpl::ContentsSizeChanged(LocalFrame* frame,
 }
 
 bool ChromeClientImpl::DoubleTapToZoomEnabled() const {
+  DCHECK(web_view_);
   return web_view_->SettingsImpl()->DoubleTapToZoomEnabled();
 }
 
 void ChromeClientImpl::EnablePreferredSizeChangedMode() {
+  DCHECK(web_view_);
   web_view_->EnablePreferredSizeChangedMode();
 }
 
 void ChromeClientImpl::ZoomToFindInPageRect(
     const gfx::Rect& rect_in_root_frame) {
+  DCHECK(web_view_);
   web_view_->ZoomToFindInPageRect(rect_in_root_frame);
 }
 
 void ChromeClientImpl::PageScaleFactorChanged() const {
+  DCHECK(web_view_);
   web_view_->PageScaleFactorChanged();
 }
 
 void ChromeClientImpl::MainFrameScrollOffsetChanged(
     LocalFrame& main_frame) const {
+  DCHECK(web_view_);
   DCHECK(main_frame.IsMainFrame());
   web_view_->MainFrameScrollOffsetChanged();
 }
 
 float ChromeClientImpl::ClampPageScaleFactorToLimits(float scale) const {
+  DCHECK(web_view_);
   return web_view_->ClampPageScaleFactorToLimits(scale);
 }
 
 void ChromeClientImpl::ResizeAfterLayout() const {
+  DCHECK(web_view_);
   web_view_->ResizeAfterLayout();
 }
 
 void ChromeClientImpl::MainFrameLayoutUpdated() const {
+  DCHECK(web_view_);
   web_view_->MainFrameLayoutUpdated();
 }
 
 void ChromeClientImpl::ShowMouseOverURL(const HitTestResult& result) {
+  DCHECK(web_view_);
   if (!web_view_->Client())
     return;
 
@@ -594,6 +623,7 @@ void ChromeClientImpl::UpdateTooltipFromKeyboard(LocalFrame& frame,
 
 void ChromeClientImpl::DispatchViewportPropertiesDidChange(
     const ViewportDescription& description) const {
+  DCHECK(web_view_);
   web_view_->UpdatePageDefinedViewportConstraints(description);
 }
 
@@ -717,6 +747,7 @@ void ChromeClientImpl::SetCursor(const ui::Cursor& cursor,
 
 void ChromeClientImpl::SetCursorInternal(const ui::Cursor& cursor,
                                          LocalFrame* local_frame) {
+  DCHECK(web_view_);
   if (cursor_overridden_)
     return;
 
@@ -765,6 +796,7 @@ void ChromeClientImpl::AutoscrollEnd(LocalFrame* local_frame) {
 }
 
 String ChromeClientImpl::AcceptLanguages() {
+  DCHECK(web_view_);
   return String::FromUTF8(web_view_->GetRendererPreferences().accept_languages);
 }
 
@@ -804,10 +836,12 @@ void ChromeClientImpl::DetachCompositorAnimationTimeline(
 void ChromeClientImpl::EnterFullscreen(LocalFrame& frame,
                                        const FullscreenOptions* options,
                                        FullscreenRequestType request_type) {
+  DCHECK(web_view_);
   web_view_->EnterFullscreen(frame, options, request_type);
 }
 
 void ChromeClientImpl::ExitFullscreen(LocalFrame& frame) {
+  DCHECK(web_view_);
   web_view_->ExitFullscreen(frame);
 }
 
@@ -816,12 +850,14 @@ void ChromeClientImpl::FullscreenElementChanged(
     Element* new_element,
     const FullscreenOptions* options,
     FullscreenRequestType request_type) {
+  DCHECK(web_view_);
   web_view_->FullscreenElementChanged(old_element, new_element, options,
                                       request_type);
 }
 
 void ChromeClientImpl::AnimateDoubleTapZoom(const gfx::Point& point,
                                             const gfx::Rect& rect) {
+  DCHECK(web_view_);
   web_view_->AnimateDoubleTapZoom(point, rect);
 }
 
@@ -836,6 +872,7 @@ void ChromeClientImpl::UpdateLayerSelection(
 }
 
 bool ChromeClientImpl::HasOpenedPopup() const {
+  DCHECK(web_view_);
   return web_view_->HasOpenedPopup();
 }
 
@@ -850,20 +887,24 @@ PopupMenu* ChromeClientImpl::OpenPopupMenu(LocalFrame& frame,
 }
 
 PagePopup* ChromeClientImpl::OpenPagePopup(PagePopupClient* client) {
+  DCHECK(web_view_);
   return web_view_->OpenPagePopup(client);
 }
 
 void ChromeClientImpl::ClosePagePopup(PagePopup* popup) {
+  DCHECK(web_view_);
   web_view_->ClosePagePopup(popup);
 }
 
 DOMWindow* ChromeClientImpl::PagePopupWindowForTesting() const {
+  DCHECK(web_view_);
   return web_view_->PagePopupWindow();
 }
 
 void ChromeClientImpl::SetBrowserControlsState(float top_height,
                                                float bottom_height,
                                                bool shrinks_layout) {
+  DCHECK(web_view_);
   DCHECK(web_view_->MainFrameWidget());
   gfx::Size size = web_view_->MainFrameWidget()->Size();
   if (shrinks_layout)
@@ -875,6 +916,7 @@ void ChromeClientImpl::SetBrowserControlsState(float top_height,
 
 void ChromeClientImpl::SetBrowserControlsShownRatio(float top_ratio,
                                                     float bottom_ratio) {
+  DCHECK(web_view_);
   web_view_->GetBrowserControls().SetShownRatio(top_ratio, bottom_ratio);
 }
 
@@ -941,6 +983,7 @@ void ChromeClientImpl::SetEventListenerProperties(
     LocalFrame* frame,
     cc::EventListenerClass event_class,
     cc::EventListenerProperties properties) {
+  DCHECK(web_view_);
   // This method is only useful when compositing is enabled.
   if (!web_view_->does_composite())
     return;
@@ -983,6 +1026,7 @@ cc::EventListenerProperties ChromeClientImpl::EventListenerProperties(
 }
 
 void ChromeClientImpl::BeginLifecycleUpdates(LocalFrame& main_frame) {
+  DCHECK(web_view_);
   DCHECK(main_frame.IsMainFrame());
   web_view_->StopDeferringMainFrameUpdate();
 }
@@ -1152,10 +1196,12 @@ void ChromeClientImpl::AjaxSucceeded(LocalFrame* frame) {
 }
 
 TransformationMatrix ChromeClientImpl::GetDeviceEmulationTransform() const {
+  DCHECK(web_view_);
   return web_view_->GetDeviceEmulationTransform();
 }
 
 void ChromeClientImpl::DidUpdateBrowserControls() const {
+  DCHECK(web_view_);
   web_view_->DidUpdateBrowserControls();
 }
 
@@ -1179,6 +1225,7 @@ void ChromeClientImpl::NotifyPopupOpeningObservers() const {
 }
 
 FloatSize ChromeClientImpl::ElasticOverscroll() const {
+  DCHECK(web_view_);
   return web_view_->ElasticOverscroll();
 }
 
@@ -1195,6 +1242,7 @@ WebAutofillClient* ChromeClientImpl::AutofillClientFromFrame(
 
 void ChromeClientImpl::DidUpdateTextAutosizerPageInfo(
     const mojom::blink::TextAutosizerPageInfo& page_info) {
+  DCHECK(web_view_);
   web_view_->TextAutosizerPageInfoChanged(page_info);
 }
 
@@ -1206,6 +1254,7 @@ void ChromeClientImpl::DocumentDetached(Document& document) {
 }
 
 double ChromeClientImpl::UserZoomFactor() const {
+  DCHECK(web_view_);
   return PageZoomLevelToZoomFactor(web_view_->ZoomLevel());
 }