From 722399175b4cb7ca078a81e7a5dceabb6360e996 Mon Sep 17 00:00:00 2001
From: Cheng Zhao <zcbenz@gmail.com>
Date: Wed, 15 Jul 2020 16:30:10 +0900
Subject: [PATCH] chore: cherry-pick fix from chromium issue 1090543

---
 patches/chromium/.patches               |  1 +
 patches/chromium/backport_1090543.patch | 32 +++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 patches/chromium/backport_1090543.patch

diff --git a/patches/chromium/.patches b/patches/chromium/.patches
index e71c1aaca1d4b..e2707518d2dce 100644
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -116,3 +116,4 @@ backport_1019161.patch
 avoid_using_x11_shm_for_remote_connections.patch
 backport_1065122.patch
 backport_1074317.patch
+backport_1090543.patch
diff --git a/patches/chromium/backport_1090543.patch b/patches/chromium/backport_1090543.patch
new file mode 100644
index 0000000000000..67326ec60a10f
--- /dev/null
+++ b/patches/chromium/backport_1090543.patch
@@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Cheng Zhao <zcbenz@gmail.com>
+Date: Thu, 4 Oct 2018 14:57:02 -0700
+Subject: fix: guard against UaF in NavigationRequest
+
+[1090543] [High]: heap-use-after-free : content::NavigationRequest::OnWillProcessResponseProcessed
+Backport https://chromium.googlesource.com/chromium/src/+/8a7c8c1affd3b03a41c6f79afa8ebce4168ded5b
+
+diff --git a/content/browser/frame_host/navigation_request.cc b/content/browser/frame_host/navigation_request.cc
+index bba7dc934cd43df41949ed5b2adc70e152b77627..d5290c54ed88e3dd2cd736535d5954316ee663a8 100644
+--- a/content/browser/frame_host/navigation_request.cc
++++ b/content/browser/frame_host/navigation_request.cc
+@@ -3012,11 +3012,19 @@ void NavigationRequest::OnWillProcessResponseProcessed(
+   DCHECK(processing_navigation_throttle_);
+   processing_navigation_throttle_ = false;
+   if (result.action() == NavigationThrottle::PROCEED) {
++    base::WeakPtr<NavigationRequest> weak_self(weak_factory_.GetWeakPtr());
++
+     // If the navigation is done processing the response, then it's ready to
+     // commit. Inform observers that the navigation is now ready to commit,
+     // unless it is not set to commit (204/205s/downloads).
+     if (render_frame_host_)
+       ReadyToCommitNavigation(false);
++
++    // The call above might block on showing a user dialog. The interaction of
++    // the user with this dialog might result in the WebContents owning this
++    // NavigationRequest to be destroyed. Return if this is the case.
++    if (!weak_self)
++      return;
+   } else {
+     state_ = CANCELING;
+   }