Cherry-pick fix for CVE-2015-123740.0.2214-based

Clear RenderFrameImpl::frame_ pointer after deleting it. Also avoid dereferencing it in OnMessageReceived after deletion. BUG=461191 TEST=No more crashes in RenderFrameImpl::OnMessageReceived Review URL: https://codereview.chromium.org/1007123003 Change-Id: I0f2dcd9e9e78e4255f37ddaa8d5b75b0852d9521 Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>
author: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2016-02-02 12:48:26 +0100
committer: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2016-02-02 12:13:02 +0000
commit: 3ffd36d63c36e5aa94a68f3ce12eb8dd20b3b44c (patch)
tree: 7c8f0911be1cfaa1e09a8071018fed38852202f0 /chromium/content/renderer/render_view_impl.h
parent: ec84d41000c53256d348cd9ee96b912c8a8628ec (diff)
download: qtwebengine-chromium-40.0.2214-based.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/content/renderer/render_view_impl.h b/chromium/content/renderer/render_view_impl.h
index be982b09b50..86e6d19b542 100644
--- a/chromium/content/renderer/render_view_impl.h
+++ b/chromium/content/renderer/render_view_impl.h
@@ -562,6 +562,7 @@ class CONTENT_EXPORT RenderViewImpl
   // code away from this class.
   friend class RenderFrameImpl;
 
+  FRIEND_TEST_ALL_PREFIXES(RenderViewImplTest, RenderFrameMessageAfterDetach);
   FRIEND_TEST_ALL_PREFIXES(RenderViewImplTest, DecideNavigationPolicyForWebUI);
   FRIEND_TEST_ALL_PREFIXES(RenderViewImplTest,
                            DidFailProvisionalLoadWithErrorForError);
author	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2016-02-02 12:48:26 +0100
committer	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2016-02-02 12:13:02 +0000
commit	3ffd36d63c36e5aa94a68f3ce12eb8dd20b3b44c (patch)
tree	7c8f0911be1cfaa1e09a8071018fed38852202f0 /chromium/content/renderer/render_view_impl.h
parent	ec84d41000c53256d348cd9ee96b912c8a8628ec (diff)
download	qtwebengine-chromium-40.0.2214-based.tar.gz