Prevent the WebPluginContainer being destroyed inside scriptableObject()

Current re-entrancy inside WebPluginContainer::scriptableObject can cause
the plugin to be deleted, as well as the WebPluginContainer. This can cause
UAFs. This change holds a reference to the plugin container to prevent it from
being destroyed while in the function. This also prevents the WebPlugin
associated with it from being destroyed since the lifetime of WebPlugin is
managed by the WebPluginContainer.

BUG=458776

Review URL: https://codereview.chromium.org/933653004

git-svn-id: svn://svn.chromium.org/blink/trunk@190700 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/Source/web/WebPluginContainerImpl.cpp

@@ -595,11 +595,16 @@ WebLayer* WebPluginContainerImpl::platformLayer() const
 
 v8::Local<v8::Object> WebPluginContainerImpl::scriptableObject(v8::Isolate* isolate)
 {
+    // The plugin may be destroyed due to re-entrancy when calling
+    // v8ScriptableObject below. crbug.com/458776. Hold a reference to the
+    // plugin container to prevent this from happening.
+    RefPtrWillBeRawPtr<WebPluginContainerImpl> protector(this);
+
     v8::Local<v8::Object> object = m_webPlugin->v8ScriptableObject(isolate);
-    // |m_webPlugin| may be destroyed during the above line due to re-entrancy
-    // caused by sync messages to the plugin. If this is the case just return an
-    // empty handle. crbug.com/423263.
-    if (!m_webPlugin)
+
+    // If the plugin has been destroyed and the reference on the stack is the
+    // only one left, then don't return the scriptable object.
+    if (hasOneRef())
         return v8::Local<v8::Object>();
 
     if (!object.IsEmpty()) {