From 04185ae61ababb3043d5467536b8747db68f6906 Mon Sep 17 00:00:00 2001
From: "Liquan (Max) Gu" <maxlg@chromium.org>
Date: Mon, 10 Jan 2022 21:24:28 +0000
Subject: [Backport] CVE-2022-0468: Use after free in Payments (2/2)

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3378182:
Not to send Payment apps for permission check when service worker errors

Before the change, when a payment app was being registered while the
window was shutting down, the payment apps would still be sent for
permission checks, causing a crash.

After the change, in the same situation, the payment apps would not be
sent for permission checks.

Bug: 1252716
Change-Id: I9f0f80eadfdc598ee5f1c6e41fd56975b32df2a0
Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org>
Commit-Queue: Liquan (Max) Gu <maxlg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#957248}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/content/browser/payments/payment_app_database.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chromium/content/browser/payments/payment_app_database.cc b/chromium/content/browser/payments/payment_app_database.cc
index fb108835b26..2a597b57916 100644
--- a/chromium/content/browser/payments/payment_app_database.cc
+++ b/chromium/content/browser/payments/payment_app_database.cc
@@ -695,7 +695,7 @@ void PaymentAppDatabase::DidReadAllPaymentInstruments(
     blink::ServiceWorkerStatusCode status) {
   DCHECK_CURRENTLY_ON(ServiceWorkerContext::GetCoreThreadId());
   if (status != blink::ServiceWorkerStatusCode::kOk) {
-    std::move(callback).Run(std::move(apps));
+    std::move(callback).Run(PaymentApps());
     return;
   }
 
-- 
cgit v1.2.1