[ MimeHandlerView ] Fix a browser crash

Navigations to a MimeHandlerView type could finish without calling ReadyToCommitNavigation which is when MimeHandlerViewEmbedder sets its |render_frame_host_| reference (e.g., due to FrameTreeNode being removed mid navigation). This adds a null check to the DidFinishNavigation override to avoid browser crashes. Bug: 969840 Change-Id: I2aa595a9a444cb77c10d124e6e345505b76cc81c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1643092 Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: James MacLean <wjmaclean@chromium.org> Cr-Commit-Position: refs/heads/master@{#666048}
marcosholgado · Jun 4, 2019 · 60b6382 · 60b6382
1 parent 3c5b967
commit 60b6382
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/extensions/browser/guest_view/mime_handler_view/mime_handler_view_embedder.cc b/extensions/browser/guest_view/mime_handler_view/mime_handler_view_embedder.cc
@@ -218,8 +218,13 @@ void MimeHandlerViewEmbedder::ReadyToCreateMimeHandlerView(
 }
 
 void MimeHandlerViewEmbedder::CheckSandboxFlags() {
-  if (!render_frame_host_->IsSandboxed(blink::WebSandboxFlags::kPlugins))
+  // If the FrameTreeNode is deleted while it has ownership of the ongoing
+  // NavigationRequest, DidFinishNavigation is called before FrameDeleted (see
+  // https://crbug.com/969840).
+  if (render_frame_host_ &&
+      !render_frame_host_->IsSandboxed(blink::WebSandboxFlags::kPlugins)) {
     return;
+  }
   // Notify the renderer to load an empty page instead.
   GetContainerManager()->LoadEmptyPage(resource_url_);
   GetMimeHandlerViewEmbeddersMap()->erase(frame_tree_node_id_);