Add pre-finalizer to SpeechSynthesisUtterance.

Avoids a UAF by disconnecting the mojo::Receiver from the pre-finalizer.

Bug: 1043603
Change-Id: I1592a517bf74dd4fcb8e947e1122442864e0dacc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2042276Reviewed-by: Darin Fisher <darin@chromium.org>
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#739140}

third_party/blink/renderer/modules/speech/speech_synthesis_utterance.cc

@@ -142,6 +142,10 @@ void SpeechSynthesisUtterance::Start(SpeechSynthesis* synthesis) {
       &SpeechSynthesisUtterance::OnDisconnected, WrapWeakPersistent(this)));
 }
 
+void SpeechSynthesisUtterance::Dispose() {
+  receiver_.reset();
+}
+
 void SpeechSynthesisUtterance::OnDisconnected() {
   // If the remote end disconnects, just simulate that we finished normally.
   if (!finished_)

third_party/blink/renderer/modules/speech/speech_synthesis_utterance.h

@@ -42,6 +42,7 @@ class SpeechSynthesisUtterance final
       public ContextClient,
       public mojom::blink::SpeechSynthesisClient {
   DEFINE_WRAPPERTYPEINFO();
+  USING_PRE_FINALIZER(SpeechSynthesisUtterance, Dispose);
   USING_GARBAGE_COLLECTED_MIXIN(SpeechSynthesisUtterance);
 
  public:
@@ -106,6 +107,10 @@ class SpeechSynthesisUtterance final
   void Start(SpeechSynthesis* synthesis);
 
  private:
+  // USING_PRE_FINALIZER interface.
+  // Called before the object gets garbage collected.
+  void Dispose();
+
   void OnDisconnected();
 
   // EventTarget