[Backport] Security bug 1268448

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3276832:
Fix dangerous lambda capture in BaseRenderingContext2D

We had a lambda that was capturing a local variable by address in a
context where it is possible for the lambda to be executed
asynchronously.  This could cause memory to be read after being popped
off the stack.

This is a quick bandaid solution.  The more permanent solution is to
refactor the code to use a pattern that avoids injecting capturing
lambdas into WTF::Bind Callbacks that are executed asynchronously.

BUG=1268448

Change-Id: I1b08392847e13f4039ec34eee6a66239096b1bf1
Commit-Queue: Justin Novosad <junov@chromium.org>
Commit-Queue: Aaron Krajeski <aaronhk@chromium.org>
Auto-Submit: Justin Novosad <junov@chromium.org>
Reviewed-by: Aaron Krajeski <aaronhk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#940945}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 1 insertions, 1 deletions

diff --git a/chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc b/chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc
index 98b485c0911..9d47aed5b3a 100644
--- a/chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc
+++ b/chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc
@@ -1514,7 +1514,7 @@ void BaseRenderingContext2D::drawImage(ScriptState* script_state,
         DrawImageInternal(c, image_source, image.get(), src_rect, dst_rect,
                           sampling, flags);
       },
-      [this, &dst_rect](const SkIRect& clip_bounds)  // overdraw test lambda
+      [this, dst_rect](const SkIRect& clip_bounds)  // overdraw test lambda
       { return RectContainsTransformedRect(dst_rect, clip_bounds); },
       dst_rect, CanvasRenderingContext2DState::kImagePaintType,
       image_source->IsOpaque()