From 729e9b30bbf2f70b2a37ba313d6e2655ee0cf4e0 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Thu, 17 Oct 2019 11:53:05 +0200
Subject: [Backport] Security issue 981459
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Don't assume HTMLFrameOwnerElement::GetLayoutObject is LayoutEmbeddedContent

The comment above HTMLFrameOwnerElement::GetLayoutEmbeddedContent()
says:
  // Most subclasses use LayoutEmbeddedContent (either LayoutEmbeddedObject or
  // LayoutIFrame) except for HTMLObjectElement and HTMLEmbedElement which may
  // return any LayoutObject when using fallback content.
  LayoutEmbeddedContent* GetLayoutEmbeddedContent() const;

No new test because I couldn't reproduce the bug locally, but I believe this
will fix the clusterfuzz bug.

Bug: 981459
Change-Id: I3ecf8022111dc25a2e862c0311ffa56467d18c2e
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#675712}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 .../blink/renderer/core/html/html_frame_owner_element.cc            | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc b/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc
index 9eb9c7c7c9d..d0b13e03981 100644
--- a/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc
+++ b/chromium/third_party/blink/renderer/core/html/html_frame_owner_element.cc
@@ -309,8 +309,7 @@ void HTMLFrameOwnerElement::SetEmbeddedContentView(
 
   GetDocument().GetRootScrollerController().DidUpdateIFrameFrameView(*this);
 
-  LayoutEmbeddedContent* layout_embedded_content =
-      ToLayoutEmbeddedContent(GetLayoutObject());
+  LayoutEmbeddedContent* layout_embedded_content = GetLayoutEmbeddedContent();
   if (!layout_embedded_content)
     return;
 
@@ -337,8 +336,7 @@ EmbeddedContentView* HTMLFrameOwnerElement::ReleaseEmbeddedContentView() {
     return nullptr;
   if (embedded_content_view_->IsAttached())
     embedded_content_view_->DetachFromLayout();
-  LayoutEmbeddedContent* layout_embedded_content =
-      ToLayoutEmbeddedContent(GetLayoutObject());
+  LayoutEmbeddedContent* layout_embedded_content = GetLayoutEmbeddedContent();
   if (layout_embedded_content) {
     if (AXObjectCache* cache = GetDocument().ExistingAXObjectCache())
       cache->ChildrenChanged(layout_embedded_content);
-- 
cgit v1.2.1