From 96f468eb2b974558ec1650697f1e64c443d09d43 Mon Sep 17 00:00:00 2001
From: xurui <xurui115@h-partners.com>
Date: Wed, 20 Dec 2023 11:11:05 -0500
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE-2023-6510?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: xurui <xurui115@h-partners.com>
---
 .../media/capture/web_contents_frame_tracker.cc  | 16 +++++++++++-----
 .../media/capture/web_contents_frame_tracker.h   | 10 +++++-----
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/content/browser/media/capture/web_contents_frame_tracker.cc b/content/browser/media/capture/web_contents_frame_tracker.cc
index 6f2ffc0e72..13a8d4cae4 100644
--- a/content/browser/media/capture/web_contents_frame_tracker.cc
+++ b/content/browser/media/capture/web_contents_frame_tracker.cc
@@ -90,12 +90,16 @@ WebContentsFrameTracker::WebContentsFrameTracker(
     base::WeakPtr<WebContentsVideoCaptureDevice> device,
     MouseCursorOverlayController* cursor_controller)
     : device_(std::move(device)),
-      device_task_runner_(base::ThreadTaskRunnerHandle::Get()) {
-  DCHECK(device_task_runner_);
+      device_task_runner_(base::ThreadTaskRunnerHandle::Get())
+#if !BUILDFLAG(IS_ANDROID)
+      ,
+      cursor_controller_(cursor_controller->GetWeakPtr())
+#endif
+{
+  CHECK(device_task_runner_);
 
 #if !BUILDFLAG(IS_ANDROID)
-  cursor_controller_ = cursor_controller;
-  DCHECK(cursor_controller_);
+  CHECK(cursor_controller_);
 #endif
 }
 
@@ -289,7 +293,9 @@ void WebContentsFrameTracker::SetTargetView(gfx::NativeView view) {
     return;
   target_native_view_ = view;
 #if !BUILDFLAG(IS_ANDROID)
-  cursor_controller_->SetTargetView(view);
+  if (cursor_controller_) {
+    cursor_controller_->SetTargetView(view);
+  }
 #endif
 }
 
diff --git a/content/browser/media/capture/web_contents_frame_tracker.h b/content/browser/media/capture/web_contents_frame_tracker.h
index 56e7775622..8220bb11cb 100644
--- a/content/browser/media/capture/web_contents_frame_tracker.h
+++ b/content/browser/media/capture/web_contents_frame_tracker.h
@@ -120,12 +120,12 @@ class CONTENT_EXPORT WebContentsFrameTracker final
   // The task runner to be used for device callbacks.
   const scoped_refptr<base::SequencedTaskRunner> device_task_runner_;
 
-  // Owned by FrameSinkVideoCaptureDevice. This will be valid for the life of
-  // WebContentsFrameTracker because the WebContentsFrameTracker deleter task
-  // will be posted to the UI thread before the MouseCursorOverlayController
-  // deleter task.
+  // Owned by FrameSinkVideoCaptureDevice.  This may only be accessed on the
+  // UI thread. This is not guaranteed to be valid and must be checked before
+  // use.
+  // https://crbug.com/1480152
 #if !BUILDFLAG(IS_ANDROID)
-  raw_ptr<MouseCursorOverlayController> cursor_controller_ = nullptr;
+  const base::WeakPtr<MouseCursorOverlayController> cursor_controller_;
 #endif
 
   // We may not have a frame sink ID target at all times.
-- 
Gitee