From 662de14ceecee701b31478849ae147c70f3fe00f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCri=20Valdmann?= Date: Wed, 17 Jul 2019 13:16:23 +0200 Subject: Fix use-after-free in WebContentsAdapter::load Pass WebContentsAdapter pointer to lambda via QWeakPointer in case the adapter has been deleted already. Fixes: QTBUG-76958 Change-Id: I1962ba3dd1794a27e7013a2ad1b729fe7a08c079 Reviewed-by: Allan Sandfeld Jensen --- src/core/web_contents_adapter.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/core/web_contents_adapter.cpp b/src/core/web_contents_adapter.cpp index a342ba302..f74f16bc3 100644 --- a/src/core/web_contents_adapter.cpp +++ b/src/core/web_contents_adapter.cpp @@ -653,19 +653,23 @@ void WebContentsAdapter::load(const QWebEngineHttpRequest &request) } } - auto navigate = [](WebContentsAdapter *adapter, const content::NavigationController::LoadURLParams ¶ms) { + auto navigate = [](QWeakPointer weakAdapter, const content::NavigationController::LoadURLParams ¶ms) { + WebContentsAdapter *adapter = weakAdapter.data(); + if (!adapter) + return; adapter->webContents()->GetController().LoadURLWithParams(params); // Follow chrome::Navigate and invalidate the URL immediately. adapter->m_webContentsDelegate->NavigationStateChanged(adapter->webContents(), content::INVALIDATE_TYPE_URL); adapter->focusIfNecessary(); }; + QWeakPointer weakThis(sharedFromThis()); if (resizeNeeded) { // Schedule navigation on the event loop. content::BrowserThread::PostTask( - content::BrowserThread::UI, FROM_HERE, base::BindOnce(navigate, this, std::move(params))); + content::BrowserThread::UI, FROM_HERE, base::BindOnce(navigate, std::move(weakThis), std::move(params))); } else { - navigate(this, params); + navigate(std::move(weakThis), params); } } -- cgit v1.2.3