[Backport] CVE-2023-1235: Type Confusion in DevTools

Cherry-pick of commit originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4150308:
Ensure that invoked method is an actual v8::Function

CallMethodOnFrame invokes a function part of an object which in turn
is installed on globalThis. E.g. globalThis['foo'].bar();

CallMethodOnFrame already bails out if 'foo' or 'bar' can't be found,
but we should also bail out if 'bar' is not an actual function.

Fixed: 1404704
Change-Id: I67c0883a53b358176898bd04fad3c45cf98721ed
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4150308
Reviewed-by: David Bokan <bokan@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1091189}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468203
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 3 insertions, 1 deletions

diff --git a/chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc b/chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc
index 463a5b2c2b2..e3e83bd59d3 100644
--- a/chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc
+++ b/chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc
@@ -216,9 +216,11 @@ v8::MaybeLocal<v8::Value> CallMethodOnFrame(LocalFrame* local_frame,
   v8::Local<v8::Value> object;
   v8::Local<v8::Value> method;
   if (!GetProperty(context, context->Global(), object_name).ToLocal(&object) ||
-      !GetProperty(context, object, method_name).ToLocal(&method)) {
+      !GetProperty(context, object, method_name).ToLocal(&method) ||
+      !method->IsFunction()) {
     return v8::MaybeLocal<v8::Value>();
   }
+  CHECK(method->IsFunction());
 
   return local_frame->DomWindow()
       ->GetScriptController()