Minor UI logic changes to prevent a UAF bug when starting tab capture.

See discussion in crbug 1155426 for details. Changes:

MediaStreamCaptureIndicator::UIDelegate: Ignore multiple calls to
OnStarted().

TabSharingUIViews: Unconditionally execute clean-up tasks in destructor.

Bug: 1155426
Change-Id: I392fba38118ce51744ba36b4dec19ebfe39f1fbe
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2581028Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Reviewed-by: Marina Ciocea <marinaciocea@chromium.org>
Commit-Queue: Yuri Wiitala <miu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#835736}

chrome/browser/media/webrtc/media_stream_capture_indicator.cc

@@ -208,7 +208,12 @@ class MediaStreamCaptureIndicator::UIDelegate : public content::MediaStreamUI {
       const std::string& label,
       std::vector<content::DesktopMediaID> screen_capture_ids,
       StateChangeCallback state_change_callback) override {
-    DCHECK(!started_);
+    if (started_) {
+      // Ignore possibly-compromised renderers that might call
+      // MediaStreamDispatcherHost::OnStreamStarted() more than once.
+      // See: https://crbug.com/1155426
+      return 0;
+    }
     started_ = true;
 
     if (device_usage_) {

chrome/browser/ui/views/tab_sharing/tab_sharing_ui_views.cc

@@ -135,8 +135,10 @@ TabSharingUIViews::TabSharingUIViews(const content::DesktopMediaID& media_id,
 }
 
 TabSharingUIViews::~TabSharingUIViews() {
-  if (!infobars_.empty())
-    StopSharing();
+  // Unconditionally call StopSharing(), to ensure all clean-up has been
+  // performed if tasks race (e.g., OnStarted() is called after
+  // OnInfoBarRemoved()). See: https://crbug.com/1155426
+  StopSharing();
 }
 
 gfx::NativeViewId TabSharingUIViews::OnStarted(