From 527af790d460f0ec486fdbb667a36164a829761e Mon Sep 17 00:00:00 2001
From: Viktor Engelmann <viktor.engelmann@qt.io>
Date: Tue, 16 Aug 2016 13:50:43 +0200
Subject: Resolved nullptr dereference bug

In line 282f of
chromium/content/browser/frame_host/render_frame_host_manager.cc,
RenderFrameHostManager::Navigate passes nullptr to
WebContentsImpl::NotifyViewSwapped.
In line 3833f of
chromium/content/browser/web_contents/web_contents_impl.cc,
this is passed on to the observers, including
UserResourceControllerHost::WebContentsObserverHelper::RenderViewHostChanged
which dereferenced it unchecked, causing a crash.

Task-number: QTBUG-55254
Change-Id: Ibdb6645f63957d28a89c50b51faeb3aea086a8b3
Reviewed-by: Kai Koehne <kai.koehne@qt.io>
---
 src/core/user_script_controller_host.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/core')

diff --git a/src/core/user_script_controller_host.cpp b/src/core/user_script_controller_host.cpp
index a0d3f6fed..4dcd1a071 100644
--- a/src/core/user_script_controller_host.cpp
+++ b/src/core/user_script_controller_host.cpp
@@ -78,7 +78,8 @@ void UserScriptControllerHost::WebContentsObserverHelper::RenderViewCreated(cont
 void UserScriptControllerHost::WebContentsObserverHelper::RenderViewHostChanged(content::RenderViewHost *oldHost,
                                                                                 content::RenderViewHost *newHost)
 {
-    oldHost->Send(new RenderViewObserverHelper_ClearScripts(oldHost->GetRoutingID()));
+    if (oldHost)
+        oldHost->Send(new RenderViewObserverHelper_ClearScripts(oldHost->GetRoutingID()));
 
     content::WebContents *contents = web_contents();
     Q_FOREACH (const UserScript &script, m_controllerHost->m_perContentsScripts.value(contents))
-- 
cgit v1.2.3