From 2dcf2c6d0cedaa8b889f7021e181806a4832eeec Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Wed, 24 Oct 2018 15:57:27 +0200
Subject: [Backport] Fix for CVE-2018-17474
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Merge "Speculative fix for crashes in HTMLImportsController::Dispose()." to M70 branch

Copy the loaders_ vector before iterating it.
This CL has no tests because we don't know stable reproduction.

Bug: 843151
Change-Id: I3d5e184657cbce56dcfca0c717d7a0c464e20efe
Reviewed-on: https://chromium-review.googlesource.com/1245017
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#594226}(cherry picked from commit 54139dd9a60d8fb63d2379a08e2f2750eac2d959)
Reviewed-on: https://chromium-review.googlesource.com/c/1270199
Reviewed-by: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#911}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../Source/core/html/imports/HTMLImportsController.cpp      | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/chromium/third_party/WebKit/Source/core/html/imports/HTMLImportsController.cpp b/chromium/third_party/WebKit/Source/core/html/imports/HTMLImportsController.cpp
index 182ebb571fc..203d1ee0ab9 100644
--- a/chromium/third_party/WebKit/Source/core/html/imports/HTMLImportsController.cpp
+++ b/chromium/third_party/WebKit/Source/core/html/imports/HTMLImportsController.cpp
@@ -46,9 +46,16 @@ HTMLImportsController::HTMLImportsController(Document& master)
 }
 
 void HTMLImportsController::Dispose() {
-  for (const auto& loader : loaders_)
-    loader->Dispose();
-  loaders_.clear();
+  // TODO(tkent): We copy loaders_ before iteration to avoid crashes.
+  // This copy should be unnecessary. loaders_ is not modified during
+  // the iteration.  Also, null-check for |loader| should be
+  // unnecessary.  crbug.com/843151.
+  LoaderList list;
+  list.swap(loaders_);
+  for (const auto& loader : list) {
+    if (loader)
+      loader->Dispose();
+  }
 
   if (root_) {
     root_->Dispose();
-- 
cgit v1.2.3