[Backport] Security fix for Chromium bug 861571

Fix DCHECK in WebFormElementObserverImpl

The WebFormElementObserverImpl made an incorrect but also totally unnecessary
cast of a Node to an HTMLElement. This edge case was discovered by the fuzzer
where a form was inside an <svg> element, whose style attribute was changed,
but which could not be casted to HTMLElement.

TBR=battre@chromium.org

(cherry picked from commit 5ce8880baa741c8e31cfd47ede17490128590488)

Bug: 861571
Reviewed-on: https://chromium-review.googlesource.com/1128973
Reviewed-on: https://chromium-review.googlesource.com/1131939

Change-Id: I1be2a961833fff0e222f65051fe4fe1e6ce01981
Reviewed-by: Kai Koehne <kai.koehne@qt.io>

1 files changed, 1 insertions, 2 deletions

diff --git a/chromium/third_party/WebKit/Source/core/exported/WebFormElementObserverImpl.cpp b/chromium/third_party/WebKit/Source/core/exported/WebFormElementObserverImpl.cpp
index 133d5bdcc6b..a95b04ab336 100644
--- a/chromium/third_party/WebKit/Source/core/exported/WebFormElementObserverImpl.cpp
+++ b/chromium/third_party/WebKit/Source/core/exported/WebFormElementObserverImpl.cpp
@@ -76,7 +76,6 @@ void WebFormElementObserverImpl::ObserverCallback::Deliver(
         return;
       }
     } else {
-      HTMLElement& element = *ToHTMLElement(record->target());
       if (record->attributeName() == "action") {
         // If the action was modified, we just assume that the form as
         // submitted.
@@ -87,7 +86,7 @@ void WebFormElementObserverImpl::ObserverCallback::Deliver(
       // Otherwise, either "style" or "class" was modified. Check the
       // computed style.
       CSSComputedStyleDeclaration* style =
-          CSSComputedStyleDeclaration::Create(&element);
+          CSSComputedStyleDeclaration::Create(record->target());
       if (style->GetPropertyValue(CSSPropertyDisplay) == "none") {
         callback_->ElementWasHiddenOrRemoved();
         Disconnect();