Cherry-pick fix for CVE-2015-123740.0.2214-based

Clear RenderFrameImpl::frame_ pointer after deleting it. Also avoid dereferencing it in OnMessageReceived after deletion. BUG=461191 TEST=No more crashes in RenderFrameImpl::OnMessageReceived Review URL: https://codereview.chromium.org/1007123003 Change-Id: I0f2dcd9e9e78e4255f37ddaa8d5b75b0852d9521 Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>
author: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2016-02-02 12:48:26 +0100
committer: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> 2016-02-02 12:13:02 +0000
commit: 3ffd36d63c36e5aa94a68f3ce12eb8dd20b3b44c (patch)
tree: 7c8f0911be1cfaa1e09a8071018fed38852202f0 /chromium/content/renderer/render_frame_impl.h
parent: ec84d41000c53256d348cd9ee96b912c8a8628ec (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/chromium/content/renderer/render_frame_impl.h b/chromium/content/renderer/render_frame_impl.h
index 77d49414589..706c29dd036 100644
--- a/chromium/content/renderer/render_frame_impl.h
+++ b/chromium/content/renderer/render_frame_impl.h
@@ -678,7 +678,10 @@ class CONTENT_EXPORT RenderFrameImpl
   RendererCdmManager* GetCdmManager();
 #endif
 
-  // Stores the WebLocalFrame we are associated with.
+  // Stores the WebLocalFrame we are associated with.  This is null from the
+  // constructor until SetWebFrame is called, and it is null after
+  // frameDetached is called until destruction (which is asynchronous in the
+  // case of the main frame, but not subframes).
   blink::WebLocalFrame* frame_;
 
   base::WeakPtr<RenderViewImpl> render_view_;
author	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2016-02-02 12:48:26 +0100
committer	Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>	2016-02-02 12:13:02 +0000
commit	3ffd36d63c36e5aa94a68f3ce12eb8dd20b3b44c (patch)
tree	7c8f0911be1cfaa1e09a8071018fed38852202f0 /chromium/content/renderer/render_frame_impl.h
parent	ec84d41000c53256d348cd9ee96b912c8a8628ec (diff)