From 0bd4f67589e9fcfba2e03db689f8d93b3818baea Mon Sep 17 00:00:00 2001
From: "trop[bot]" <37223003+trop[bot]@users.noreply.github.com>
Date: Wed, 14 Jul 2021 20:47:16 +0900
Subject: [PATCH] fix: crash when invoking login callback synchronously
 (#30090)

Co-authored-by: Jeremy Rose <nornagon@nornagon.net>
---
 shell/browser/login_handler.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/shell/browser/login_handler.cc b/shell/browser/login_handler.cc
index 8d070af32c224..89421508c70ab 100644
--- a/shell/browser/login_handler.cc
+++ b/shell/browser/login_handler.cc
@@ -69,11 +69,15 @@ void LoginHandler::EmitEvent(
   details.Set("firstAuthAttempt", first_auth_attempt);
   details.Set("responseHeaders", response_headers.get());
 
+  auto weak_this = weak_factory_.GetWeakPtr();
   bool default_prevented =
       api_web_contents->Emit("login", std::move(details), auth_info,
                              base::BindOnce(&LoginHandler::CallbackFromJS,
                                             weak_factory_.GetWeakPtr()));
-  if (!default_prevented && auth_required_callback_) {
+  // ⚠️ NB, if CallbackFromJS is called during Emit(), |this| will have been
+  // deleted. Check the weak ptr before accessing any member variables to
+  // prevent UAF.
+  if (weak_this && !default_prevented && auth_required_callback_) {
     std::move(auth_required_callback_).Run(absl::nullopt);
   }
 }