Fix use-after-free in NavigatorImpl::Navigate

|dest_url| references url inside navigation request which could be destroyed after call to BeginNavigation. Make it local variable instead, to avoid use-after-free error. Change-Id: I6c387d04e682d32d1e37a70171b23f28fc49d088 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2087724Reviewed-by: Bo <boliu@chromium.org> Commit-Queue: Bo <boliu@chromium.org> Cr-Commit-Position: refs/heads/master@{#747281}

Fix use-after-free in NavigatorImpl::Navigate
|dest_url| references url inside navigation request which could be destroyed after call to BeginNavigation. Make it local variable instead, to avoid use-after-free error. Change-Id: I6c387d04e682d32d1e37a70171b23f28fc49d088 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2087724Reviewed-by: Bo <boliu@chromium.org> Commit-Queue: Bo <boliu@chromium.org> Cr-Commit-Position: refs/heads/master@{#747281}
6d58f1d9 · Marko Ivanovich · Commit Bot · df6e8e0b · 6d58f1d9
Commit 6d58f1d9 authored Mar 05, 2020 by Marko Ivanovich Committed by Commit Bot Mar 05, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

content/browser/frame_host/navigator_impl.cc content/browser/frame_host/navigator_impl.cc +4 -1

No files found.
--- a/content/browser/frame_host/navigator_impl.cc
+++ b/content/browser/frame_host/navigator_impl.cc
@@ -294,7 +294,10 @@ void NavigatorImpl::Navigate(std::unique_ptr<NavigationRequest> request,
      "navigation,rail", "NavigationTiming navigationStart",
      TRACE_EVENT_SCOPE_GLOBAL, request->common_params().navigation_start);

-  const GURL& dest_url = request->common_params().url;
+  // Save destination url, as it is needed for
+  // DidStartNavigationToPendingEntry and request could be destroyed after
+  // BeginNavigation below.
+  GURL dest_url = request->common_params().url;
  FrameTreeNode* frame_tree_node = request->frame_tree_node();

  navigation_data_.reset(new NavigationMetricsData(