[Backport] CVE-2022-2857: Use after free in Blink

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3751710:
Don't re-lock DisplayLocks during forced unlock

When a DisplayLock is unlocked via ForceUnlockIfNeeded, subsequent
updates to the DisplayLock can cause it to become locked again which is
problematic.

This patch prevents the DisplayLock from being locked again until the
next frame.

Fixed: 1338135
Change-Id: I07790658e25ea9fe2f4e8de154e3a58e7e08892b
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Reviewed-by: Vladimir Levin <vmpstr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1028405}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 3 insertions, 0 deletions

diff --git a/chromium/third_party/blink/renderer/core/display_lock/display_lock_context.cc b/chromium/third_party/blink/renderer/core/display_lock/display_lock_context.cc
index a6207c2a5b3..686aa701731 100644
--- a/chromium/third_party/blink/renderer/core/display_lock/display_lock_context.cc
+++ b/chromium/third_party/blink/renderer/core/display_lock/display_lock_context.cc
@@ -1026,6 +1026,9 @@ bool DisplayLockContext::ForceUnlockIfNeeded() {
               layout_invalidation_reason::kDisplayLock);
         }
       }
+      // If we forced unlock, then we need to prevent subsequent calls to
+      // Lock() until the next frame.
+      SetRequestedState(EContentVisibility::kVisible);
     }
     return true;
   }