From 1b6fc616ee697220492dd957e40568b25bad73e4 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Wed, 24 Oct 2018 14:51:03 +0200
Subject: [Backport] Fix for CVE-2018-17462

Refcount AppCacheGroup correctly.

TBR=palmer@chromium.org

(cherry picked from commit 9d2ead1650a1c901754dd1a68705006a6934cffc)

Bug: 888926
Reviewed-on: https://chromium-review.googlesource.com/1246827
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Chris Palmer <palmer@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#594475}
Reviewed-on: https://chromium-review.googlesource.com/1252004
Cr-Commit-Position: refs/branch-heads/3538@{#733}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I3889bda2e12de992cd10487ac74c470ade0e5917
---
 chromium/content/browser/appcache/appcache_group.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chromium/content/browser/appcache/appcache_group.cc b/chromium/content/browser/appcache/appcache_group.cc
index 06cca4ca884..33f05a3ec9d 100644
--- a/chromium/content/browser/appcache/appcache_group.cc
+++ b/chromium/content/browser/appcache/appcache_group.cc
@@ -114,9 +114,9 @@ void AppCacheGroup::AddCache(AppCache* complete_cache) {
 void AppCacheGroup::RemoveCache(AppCache* cache) {
   DCHECK(cache->associated_hosts().empty());
   if (cache == newest_complete_cache_) {
-    CancelUpdate();
     AppCache* tmp_cache = newest_complete_cache_;
     newest_complete_cache_ = nullptr;
+    CancelUpdate();
     tmp_cache->set_owning_group(nullptr);  // may cause this group to be deleted
   } else {
     scoped_refptr<AppCacheGroup> protect(this);
-- 
cgit v1.2.3