Fix use-after-free in WebContentsAdapter::load

valdmann · valdmann · commit 662de14ceece · 2019-07-18T10:18:31.000+02:00
Pass WebContentsAdapter pointer to lambda via QWeakPointer in case the adapter
has been deleted already.

Fixes: QTBUG-76958
Change-Id: I1962ba3dd1794a27e7013a2ad1b729fe7a08c079
Reviewed-by: Allan Sandfeld Jensen &lt;allan.jensen@qt.io&gt;
diff --git a/src/core/web_contents_adapter.cpp b/src/core/web_contents_adapter.cpp
@@ -653,19 +653,23 @@ void WebContentsAdapter::load(const QWebEngineHttpRequest &request)
         }
     }
 
-    auto navigate = [](WebContentsAdapter *adapter, const content::NavigationController::LoadURLParams &params) {
+    auto navigate = [](QWeakPointer<WebContentsAdapter> weakAdapter, const content::NavigationController::LoadURLParams &params) {
+        WebContentsAdapter *adapter = weakAdapter.data();
+        if (!adapter)
+            return;
         adapter->webContents()->GetController().LoadURLWithParams(params);
         // Follow chrome::Navigate and invalidate the URL immediately.
         adapter->m_webContentsDelegate->NavigationStateChanged(adapter->webContents(), content::INVALIDATE_TYPE_URL);
         adapter->focusIfNecessary();
     };
 
+    QWeakPointer<WebContentsAdapter> weakThis(sharedFromThis());
     if (resizeNeeded) {
         // Schedule navigation on the event loop.
         content::BrowserThread::PostTask(
-            content::BrowserThread::UI, FROM_HERE, base::BindOnce(navigate, this, std::move(params)));
+            content::BrowserThread::UI, FROM_HERE, base::BindOnce(navigate, std::move(weakThis), std::move(params)));
     } else {
-        navigate(this, params);
+        navigate(std::move(weakThis), params);
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -653,19 +653,23 @@ void WebContentsAdapter::load(const QWebEngineHttpRequest &request)`
`653`	`653`	`}`
`654`	`654`	`}`
`655`	`655`
`656`		`- auto navigate = [](WebContentsAdapter *adapter, const content::NavigationController::LoadURLParams &params) {`
	`656`	`+ auto navigate = [](QWeakPointer<WebContentsAdapter> weakAdapter, const content::NavigationController::LoadURLParams &params) {`
	`657`	`+ WebContentsAdapter *adapter = weakAdapter.data();`
	`658`	`+ if (!adapter)`
	`659`	`+ return;`
`657`	`660`	`adapter->webContents()->GetController().LoadURLWithParams(params);`
`658`	`661`	`// Follow chrome::Navigate and invalidate the URL immediately.`
`659`	`662`	`adapter->m_webContentsDelegate->NavigationStateChanged(adapter->webContents(), content::INVALIDATE_TYPE_URL);`
`660`	`663`	`adapter->focusIfNecessary();`
`661`	`664`	`};`
`662`	`665`
	`666`	`+ QWeakPointer<WebContentsAdapter> weakThis(sharedFromThis());`
`663`	`667`	`if (resizeNeeded) {`
`664`	`668`	`// Schedule navigation on the event loop.`
`665`	`669`	`content::BrowserThread::PostTask(`
`666`		`- content::BrowserThread::UI, FROM_HERE, base::BindOnce(navigate, this, std::move(params)));`
	`670`	`+ content::BrowserThread::UI, FROM_HERE, base::BindOnce(navigate, std::move(weakThis), std::move(params)));`
`667`	`671`	`} else {`
`668`		`- navigate(this, params);`
	`672`	`+ navigate(std::move(weakThis), params);`
`669`	`673`	`}`
`670`	`674`	`}`
`671`	`675`