[Backport] Don't call WebContents::DownloadImage() callback if the WebContents were deletedv5.6.0

BUG=583718

Review URL: https://codereview.chromium.org/1685343004
(CVE-2016-1641)

Change-Id: Ifa7d046c7f4e48336ee8d1a220ea91a64e76c4d0
Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>

2 files changed, 32 insertions, 22 deletions

diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc
index f734fc86cfd..b3eeefece37 100644
--- a/chromium/content/browser/web_contents/web_contents_impl.cc
+++ b/chromium/content/browser/web_contents/web_contents_impl.cc
@@ -139,21 +139,6 @@ const char kWebContentsAndroidKey[] = "web_contents_android";
 base::LazyInstance<std::vector<WebContentsImpl::CreatedCallback> >
 g_created_callbacks = LAZY_INSTANCE_INITIALIZER;
 
-static void DidDownloadImage(const WebContents::ImageDownloadCallback& callback,
-                             int id,
-                             const GURL& image_url,
-                             image_downloader::DownloadResultPtr result) {
-  DCHECK(result);
-
-  const std::vector<SkBitmap> images =
-      result->images.To<std::vector<SkBitmap>>();
-  const std::vector<gfx::Size> original_image_sizes =
-      result->original_image_sizes.To<std::vector<gfx::Size>>();
-
-  callback.Run(id, result->http_status_code, image_url, images,
-               original_image_sizes);
-}
-
 void NotifyCacheOnIO(
     scoped_refptr<net::URLRequestContextGetter> request_context,
     const GURL& url,
@@ -391,7 +376,8 @@ WebContentsImpl::WebContentsImpl(BrowserContext* browser_context)
       accessibility_mode_(
           BrowserAccessibilityStateImpl::GetInstance()->accessibility_mode()),
       virtual_keyboard_requested_(false),
-      loading_weak_factory_(this) {
+      loading_weak_factory_(this),
+      weak_factory_(this) {
   frame_tree_.SetFrameRemoveListener(
       base::Bind(&WebContentsImpl::OnFrameRemoved,
                  base::Unretained(this)));
@@ -2636,12 +2622,14 @@ int WebContentsImpl::DownloadImage(
     // Android), the downloader service will be invalid. Pre-Mojo, this would
     // hang the callback indefinetly since the IPC would be dropped. Now,
     // respond with a 400 HTTP error code to indicate that something went wrong.
+    image_downloader::DownloadResultPtr result =
+        image_downloader::DownloadResult::New();
+    result->http_status_code = 400;
     BrowserThread::PostTask(
         BrowserThread::UI, FROM_HERE,
-        base::Bind(&WebContents::ImageDownloadCallback::Run,
-                   base::Owned(new ImageDownloadCallback(callback)),
-                   download_id, 400, url, std::vector<SkBitmap>(),
-                   std::vector<gfx::Size>()));
+        base::Bind(&WebContentsImpl::OnDidDownloadImage,
+                   weak_factory_.GetWeakPtr(), callback, download_id, url,
+                   base::Passed(&result)));
     return download_id;
   }
 
@@ -2654,8 +2642,9 @@ int WebContentsImpl::DownloadImage(
   req->bypass_cache = bypass_cache;
 
   mojo_image_downloader->DownloadImage(
-      req.Pass(),
-      base::Bind(&DidDownloadImage, callback, download_id, url));
+      req.Pass(), base::Bind(&WebContentsImpl::OnDidDownloadImage,
+                             weak_factory_.GetWeakPtr(), callback,
+                             download_id, url));
   return download_id;
 }
 
@@ -4374,6 +4363,20 @@ bool WebContentsImpl::GetAllowOtherViews() {
 
 #endif
 
+void WebContentsImpl::OnDidDownloadImage(
+    const ImageDownloadCallback& callback,
+    int id,
+    const GURL& image_url,
+    image_downloader::DownloadResultPtr result) {
+  const std::vector<SkBitmap> images =
+      result->images.To<std::vector<SkBitmap>>();
+  const std::vector<gfx::Size> original_image_sizes =
+      result->original_image_sizes.To<std::vector<gfx::Size>>();
+
+  callback.Run(id, result->http_status_code, image_url, images,
+               original_image_sizes);
+}
+
 void WebContentsImpl::OnDialogClosed(int render_process_id,
                                      int render_frame_id,
                                      IPC::Message* reply_msg,
diff --git a/chromium/content/browser/web_contents/web_contents_impl.h b/chromium/content/browser/web_contents/web_contents_impl.h
index b78fff049f2..6062bb0610e 100644
--- a/chromium/content/browser/web_contents/web_contents_impl.h
+++ b/chromium/content/browser/web_contents/web_contents_impl.h
@@ -779,6 +779,12 @@ class CONTENT_EXPORT WebContentsImpl
   // all the unique RenderWidgetHostViews.
   std::set<RenderWidgetHostView*> GetRenderWidgetHostViewsInTree();
 
+  // Called with the result of a DownloadImage() request.
+  void OnDidDownloadImage(const ImageDownloadCallback& callback,
+                          int id,
+                          const GURL& image_url,
+                          image_downloader::DownloadResultPtr result);
+
   // Callback function when showing JavaScript dialogs.  Takes in a routing ID
   // pair to identify the RenderFrameHost that opened the dialog, because it's
   // possible for the RenderFrameHost to be deleted by the time this is called.
@@ -1281,6 +1287,7 @@ class CONTENT_EXPORT WebContentsImpl
 #endif
 
   base::WeakPtrFactory<WebContentsImpl> loading_weak_factory_;
+  base::WeakPtrFactory<WebContentsImpl> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(WebContentsImpl);
 };