Prevent crash in WebMediaPlayerMS when replacing WebLayer*.

The WebLayer* given to SetWebLayer() must be kept alive until /after/
the next call to SetWebLayer(), as the client will hold and use that
pointer, including inside the next SetWebLayer() call.

R=xhwang@chromium.org

Bug: 843114
Change-Id: Iee4bc139f02f918f60e7b13455ed2b47bedaa1b9
Reviewed-on: https://chromium-review.googlesource.com/1059698
Commit-Queue: danakj <danakj@chromium.org>
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558848}

content/renderer/media/stream/webmediaplayer_ms.cc

@@ -1005,11 +1005,17 @@ void WebMediaPlayerMS::OnRotationChanged(media::VideoRotation video_rotation,
   DCHECK(thread_checker_.CalledOnValidThread());
   video_rotation_ = video_rotation;
 
-  video_layer_ = cc::VideoLayer::Create(compositor_.get(), video_rotation);
-  video_layer_->SetContentsOpaque(is_opaque);
+  // Keep the old |video_layer_| and |video_weblayer_| alive until SetWebLayer
+  // is called with a new pointer, as it may use the pointer from the last call.
+  auto new_video_layer =
+      cc::VideoLayer::Create(compositor_.get(), video_rotation);
+  new_video_layer->SetContentsOpaque(is_opaque);
 
-  video_weblayer_ = std::make_unique<blink::WebLayer>(video_layer_.get());
-  get_client()->SetWebLayer(video_weblayer_.get());
+  auto new_weblayer = std::make_unique<blink::WebLayer>(new_video_layer.get());
+  get_client()->SetWebLayer(new_weblayer.get());
+
+  video_layer_ = std::move(new_video_layer);
+  video_weblayer_ = std::move(new_weblayer);
 }
 
 void WebMediaPlayerMS::RepaintInternal() {