Lookup browser accessibility manager before notifying observers

If the observer causes navigation, the render_frame_host object might
have been deleted and accessing causes use-after-free.

Change-Id: I1a4d6d57befa54d5908ee38b5caf70ac73a18ed3
Task-number: QTBUG-48031
Reviewed-by: Joerg Bornemann <joerg.bornemann@theqtcompany.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc
index 08a57739da4..001cbd26b32 100644
--- a/chromium/content/browser/web_contents/web_contents_impl.cc
+++ b/chromium/content/browser/web_contents/web_contents_impl.cc
@@ -2846,6 +2846,9 @@ void WebContentsImpl::DidFailProvisionalLoadWithError(
     RenderFrameHostImpl* render_frame_host,
     const FrameHostMsg_DidFailProvisionalLoadWithError_Params& params) {
   GURL validated_url(params.url);
+  FrameTreeNode* ftn = render_frame_host->frame_tree_node();
+  BrowserAccessibilityManager* manager =
+      ftn->current_frame_host()->browser_accessibility_manager();
   FOR_EACH_OBSERVER(WebContentsObserver,
                     observers_,
                     DidFailProvisionalLoad(render_frame_host,
@@ -2854,9 +2857,6 @@ void WebContentsImpl::DidFailProvisionalLoadWithError(
                                            params.error_description,
                                            params.was_ignored_by_handler));
 
-  FrameTreeNode* ftn = render_frame_host->frame_tree_node();
-  BrowserAccessibilityManager* manager =
-      ftn->current_frame_host()->browser_accessibility_manager();
   if (manager)
     manager->NavigationFailed();
 }