[Backport] Security bug 1242257

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3160208:
[M90-LTS] compositor: fix bug in sending damage regions

Specifically if a layer is added when sending damaged regions the
iterator would be invalidated. This converts to iterating over the
size.

BUG=1242257
TEST=CompositorTestWithMessageLoop.AddLayerDuringUpdateVisualState

(cherry picked from commit 7c0b0577c3ac1060945b7d05ad69f0dec33479b4)

Change-Id: I09f2bd34afce5d3c9402ef470f14923bbc76b8ae
Commit-Queue: Scott Violet <sky@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#917886}
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Jana Grill <janagrill@google.com>
Commit-Queue: Zakhar Voit <voit@google.com>
Cr-Commit-Position: refs/branch-heads/4430@{#1607}
Cr-Branched-From: e5ce7dc4f7518237b3d9bb93cccca35d25216cbe-refs/heads/master@{#857950}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 4 insertions, 2 deletions

diff --git a/chromium/ui/compositor/compositor.cc b/chromium/ui/compositor/compositor.cc
index d5582f59fd6..607b6608ade 100644
--- a/chromium/ui/compositor/compositor.cc
+++ b/chromium/ui/compositor/compositor.cc
@@ -578,8 +578,10 @@ void Compositor::BeginMainFrameNotExpectedUntil(base::TimeTicks time) {}
 
 static void SendDamagedRectsRecursive(ui::Layer* layer) {
   layer->SendDamagedRects();
-  for (auto* child : layer->children())
-    SendDamagedRectsRecursive(child);
+  // Iterate using the size for the case of mutation during sending damaged
+  // regions. https://crbug.com/1242257.
+  for (size_t i = 0; i < layer->children().size(); ++i)
+    SendDamagedRectsRecursive(layer->children()[i]);
 }
 
 void Compositor::UpdateLayerTreeHost(VisualStateUpdate requested_update) {