[Backport] CVE-2022-2613: Use after free in Input

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3648376:
Handle notifications sent by gesture provider during destruction

This CL clears `GestureRecognizerImpl::consumer_gesture_provider_`
explicitly so that the notifications from gesture provider during
destruction are handled by `GestureRecognizerImpl` properly.

Bug: 1325256
Change-Id: Iba3b645fc2ad18331947e5556015567a1e8eb513
Commit-Queue: Andrew Xu <andrewxu@chromium.org>
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1008393}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 7 insertions, 1 deletions

diff --git a/chromium/ui/events/gestures/gesture_recognizer_impl.cc b/chromium/ui/events/gestures/gesture_recognizer_impl.cc
index 0420783a582..07440560c96 100644
--- a/chromium/ui/events/gestures/gesture_recognizer_impl.cc
+++ b/chromium/ui/events/gestures/gesture_recognizer_impl.cc
@@ -62,7 +62,13 @@ bool RemoveValueFromMap(std::map<Key, T>* map, const Value& value) {
 
 GestureRecognizerImpl::GestureRecognizerImpl() = default;
 
-GestureRecognizerImpl::~GestureRecognizerImpl() = default;
+GestureRecognizerImpl::~GestureRecognizerImpl() {
+  // The gesture recognizer impl observes the gesture providers that are owned
+  // by `consumer_gesture_provider_`. Clear `consumer_gesture_provider_`
+  // explicitly so that the notifications sent by gesture providers during
+  // destruction are handled properly.
+  consumer_gesture_provider_.clear();
+}
 
 // Checks if this finger is already down, if so, returns the current target.
 // Otherwise, returns NULL.