[Backport] Fix for CVE-2018-17462

Refcount AppCacheGroup correctly.

TBR=palmer@chromium.org

(cherry picked from commit 9d2ead1650a1c901754dd1a68705006a6934cffc)

Bug: 888926
Reviewed-on: https://chromium-review.googlesource.com/1246827
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Chris Palmer <palmer@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#594475}
Reviewed-on: https://chromium-review.googlesource.com/1252004
Cr-Commit-Position: refs/branch-heads/3538@{#733}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I3889bda2e12de992cd10487ac74c470ade0e5917

1 files changed, 1 insertions, 1 deletions

diff --git a/chromium/content/browser/appcache/appcache_group.cc b/chromium/content/browser/appcache/appcache_group.cc
index 06cca4ca884..33f05a3ec9d 100644
--- a/chromium/content/browser/appcache/appcache_group.cc
+++ b/chromium/content/browser/appcache/appcache_group.cc
@@ -114,9 +114,9 @@ void AppCacheGroup::AddCache(AppCache* complete_cache) {
 void AppCacheGroup::RemoveCache(AppCache* cache) {
   DCHECK(cache->associated_hosts().empty());
   if (cache == newest_complete_cache_) {
-    CancelUpdate();
     AppCache* tmp_cache = newest_complete_cache_;
     newest_complete_cache_ = nullptr;
+    CancelUpdate();
     tmp_cache->set_owning_group(nullptr);  // may cause this group to be deleted
   } else {
     scoped_refptr<AppCacheGroup> protect(this);