[Backport] CVE-2020-16014: Use after free in PPAPI

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2527065: Pepper: Ensure weak pointer is still valid before use. Bug: 1146675 Change-Id: I382dcb5c0b09a26e3c397ebef46947f626e2aef9 Reviewed-by: Bill Budge <bbudge@chromium.org> Commit-Queue: Darwin Huang <huangdarwin@chromium.org> Cr-Commit-Position: refs/heads/master@{#825558} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Darwin Huang <huangdarwin@chromium.org> 2020-11-10 00:30:53 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-12-07 22:24:24 +0000
commit: 8e776e6e6f5e4642088d85318d0f6263ce649704 (patch)
tree: a6edd4f1afbb8e76290c5565e84f5aa5e1449e21
parent: ade0aef290c67070ee2e431c34c33dde00f3559a (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc b/chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc
index 474c1683dcd..8ae20bd4bcd 100644
--- a/chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc
+++ b/chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc
@@ -250,7 +250,12 @@ void PepperFileIOHost::GotUIThreadStuffForInternalFileSystems(
     return;
   }
 
-  DCHECK(file_system_host_.get());
+  if (!file_system_host_.get()) {
+    reply_context.params.set_result(PP_ERROR_FAILED);
+    SendOpenErrorReply(reply_context);
+    return;
+  }
+
   DCHECK(file_system_host_->GetFileSystemOperationRunner());
 
   file_system_host_->GetFileSystemOperationRunner()->OpenFile(
author	Darwin Huang <huangdarwin@chromium.org>	2020-11-10 00:30:53 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-12-07 22:24:24 +0000
commit	8e776e6e6f5e4642088d85318d0f6263ce649704 (patch)
tree	a6edd4f1afbb8e76290c5565e84f5aa5e1449e21
parent	ade0aef290c67070ee2e431c34c33dde00f3559a (diff)