From 68da9a772754afd7d21148ec0f209ea6c136250f Mon Sep 17 00:00:00 2001 From: Wez Date: Thu, 15 Apr 2021 18:24:27 +0000 Subject: [Backport] Security bug 1192552 Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2826321: [views] Handle window deletion during HandleDisplayChange. In principle there is no reason why the HWNDMessageHandler shouldn't be deleted by a HandleDisplayChange() call out to the delegate, e.g. if the change results in a change in window layout. (cherry picked from commit 299155e5e37a77670b7969771e09e9a16b1f5612) Bug: 1192552 Change-Id: I9fca35ff32e7037c6492f4cee7069e272059b920 Auto-Submit: Wez Commit-Queue: Scott Violet Reviewed-by: Scott Violet Cr-Original-Commit-Position: refs/heads/master@{#869603} Cr-Commit-Position: refs/branch-heads/4430@{#1291} Cr-Branched-From: e5ce7dc4f7518237b3d9bb93cccca35d25216cbe-refs/heads/master@{#857950} Reviewed-by: Allan Sandfeld Jensen --- chromium/ui/views/win/hwnd_message_handler.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/chromium/ui/views/win/hwnd_message_handler.cc b/chromium/ui/views/win/hwnd_message_handler.cc index d5f442f71da..ff24e385430 100644 --- a/chromium/ui/views/win/hwnd_message_handler.cc +++ b/chromium/ui/views/win/hwnd_message_handler.cc @@ -1617,7 +1617,13 @@ void HWNDMessageHandler::OnDestroy() { void HWNDMessageHandler::OnDisplayChange(UINT bits_per_pixel, const gfx::Size& screen_size) { + base::WeakPtr ref(msg_handler_weak_factory_.GetWeakPtr()); delegate_->HandleDisplayChange(); + + // HandleDisplayChange() may result in |this| being deleted. + if (!ref) + return; + // Force a WM_NCCALCSIZE to occur to ensure that we handle auto hide // taskbars correctly. SendFrameChanged(); -- cgit v1.2.3