diff options
| -rw-r--r-- | chromium/content/renderer/web_ui_extension.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chromium/content/renderer/web_ui_extension.cc b/chromium/content/renderer/web_ui_extension.cc index 802bd7a0e61..c14313283f1 100644 --- a/chromium/content/renderer/web_ui_extension.cc +++ b/chromium/content/renderer/web_ui_extension.cc @@ -124,6 +124,13 @@ void WebUIExtension::Send(gin::Arguments* args) { content = base::ListValue::From(V8ValueConverter::Create()->FromV8Value( obj, frame->MainWorldScriptContext())); DCHECK(content); + // The conversion of |obj| could have triggered arbitrary JavaScript code, + // so check that the frame is still valid to avoid dereferencing a stale + // pointer. + if (frame != blink::WebLocalFrame::FrameForCurrentContext()) { + NOTREACHED(); + return; + } } // Send the message up to the browser. |