chore: cherry-pick 94a8bdafc8c6 from chromium #35237
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix use-after-free vulnerability in ComboboxModel
Stop the Combobox from observing the model when the model gets
destroyed. This is done by adding a virtual OnComboboxModelDestroying()
to the base observer class and calling it in ~ComboboxModel().
This fix will prevent the use-after-free that happens when the combobox outlives the model, usually because the model lifetime
is managed by non-UI component.
Bug: 1264288
Change-Id: Ia00881a9b674bbc83bbf54dd228490c1cc1290bc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3693825
Commit-Queue: Keren Zhu kerenzhu@chromium.org
Reviewed-by: Matthias Körber koerber@google.com
Auto-Submit: Keren Zhu kerenzhu@chromium.org
Reviewed-by: Peter Boström pbos@chromium.org
Cr-Commit-Position: refs/heads/main@{#1012504}
Notes: Security: backported fix for 1264288.