Avoid TextInputClient UAF in InputMethodAuraLinux

The specific UAF happens as a views::Checkbox callback deletes the
dialog in which it was hosted. Because the client pointer is cached in
InputMethodAuraLinux::ProcessKeyEventDone there's UAF after that point.

The fix checks if GetTextInputClient() has changed after InsertChar() or
InsertText() and returns early, stopping event propagation.

Bug: 1125187
Change-Id: Id6a277858adf69011d56627893a98b5603eee503
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2399245Reviewed-by: Yuichiro Hanada <yhanada@chromium.org>
Commit-Queue: Peter Boström <pbos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#805295}

ui/base/ime/linux/input_method_auralinux.cc

@@ -134,6 +134,13 @@ ui::EventDispatchDetails InputMethodAuraLinux::ProcessKeyEventDone(
         ui::KeyEvent ch_event(*event);
         ch_event.set_character(ch);
         client->InsertChar(ch_event);
+        // If the client changes we assume that the original target has been
+        // destroyed.
+        if (client != GetTextInputClient()) {
+          details.target_destroyed = true;
+          event->StopPropagation();
+          return details;
+        }
       }
     } else {
       // If |filtered| is false, that means the IME wants to commit some text
@@ -143,6 +150,13 @@ ui::EventDispatchDetails InputMethodAuraLinux::ProcessKeyEventDone(
       // In such case, don't do InsertChar because a key should only trigger the
       // keydown event once.
       client->InsertText(result_text_);
+      // If the client changes we assume that the original target has been
+      // destroyed.
+      if (client != GetTextInputClient()) {
+        details.target_destroyed = true;
+        event->StopPropagation();
+        return details;
+      }
     }
     should_stop_propagation = true;
   }