Guard against UaF in NavigationRequest

This CL adds a check in NavigationRequest::OnWillProcessResponseProcessed to
return early if the call to ReadyToCommit leads to the deletion of the
NavigationRequest.

Bug: 1090543
Change-Id: Ida21db80caef1772f2f21c5d2449d3efe4dd1bb1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2254119Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Camille Lamy <clamy@chromium.org>
Auto-Submit: Camille Lamy <clamy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#781301}

content/browser/frame_host/navigation_request.cc

@@ -3702,11 +3702,19 @@ void NavigationRequest::OnWillProcessResponseProcessed(
   DCHECK(processing_navigation_throttle_);
   processing_navigation_throttle_ = false;
   if (result.action() == NavigationThrottle::PROCEED) {
+    base::WeakPtr<NavigationRequest> weak_self(weak_factory_.GetWeakPtr());
+
     // If the navigation is done processing the response, then it's ready to
     // commit. Inform observers that the navigation is now ready to commit,
     // unless it is not set to commit (204/205s/downloads).
     if (render_frame_host_)
       ReadyToCommitNavigation(false);
+
+    // The call above might block on showing a user dialog. The interaction of
+    // the user with this dialog might result in the WebContents owning this
+    // NavigationRequest to be destroyed. Return if this is the case.
+    if (!weak_self)
+      return;
   } else {
     SetState(CANCELING);
   }