[Backport] CVE-2022-1866: Use after free in Tablet Mode

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3669247:
Handle late ACKed touch events more properly

This CL adds an extra function named
`OnGestureProviderAuraWillBeDestroyed()` to `GestureProviderAuraClient`
so that `GestureProviderAuraClient` can response to destruction of
a `GestureProviderAura` instance.

See the comment 27 under this issue for more details.

(cherry picked from commit d2fdb99a2b5d87c75fef69968d4d477cbd66ebd9)

Bug: 1292264
Change-Id: I53502e896d3a36f9610ca48c11b07422e5b4ce03
Commit-Queue: Andrew Xu <andrewxu@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#984964}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1641}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

4 files changed, 32 insertions, 2 deletions

diff --git a/chromium/ui/events/gestures/gesture_provider_aura.cc b/chromium/ui/events/gestures/gesture_provider_aura.cc
index 0efa57213c6..943230a5e03 100644
--- a/chromium/ui/events/gestures/gesture_provider_aura.cc
+++ b/chromium/ui/events/gestures/gesture_provider_aura.cc
@@ -39,7 +39,9 @@ GestureProviderAura::GestureProviderAura(GestureConsumer* consumer,
       kDoubleTapPlatformSupport);
 }
 
-GestureProviderAura::~GestureProviderAura() {}
+GestureProviderAura::~GestureProviderAura() {
+  client_->OnGestureProviderAuraWillBeDestroyed(this);
+}
 
 bool GestureProviderAura::OnTouchEvent(TouchEvent* event) {
   if (!pointer_state_.OnTouch(*event))
@@ -114,4 +116,4 @@ void GestureProviderAura::OnTouchEnter(int pointer_id, float x, float y) {
                   false /* is_source_touch_event_set_blocking */);
 }
 
-}  // namespace content
+}  // namespace ui
diff --git a/chromium/ui/events/gestures/gesture_provider_aura.h b/chromium/ui/events/gestures/gesture_provider_aura.h
index 555149b7e5d..0c82bc471f8 100644
--- a/chromium/ui/events/gestures/gesture_provider_aura.h
+++ b/chromium/ui/events/gestures/gesture_provider_aura.h
@@ -27,6 +27,10 @@ class EVENTS_EXPORT GestureProviderAuraClient {
   virtual ~GestureProviderAuraClient() {}
   virtual void OnGestureEvent(GestureConsumer* consumer,
                               GestureEvent* event) = 0;
+
+  // Called when `gesture_provider` will be destroyed.
+  virtual void OnGestureProviderAuraWillBeDestroyed(
+      GestureProviderAura* gesture_provider) {}
 };
 
 // Provides gesture detection and dispatch given a sequence of touch events
diff --git a/chromium/ui/events/gestures/gesture_recognizer_impl.cc b/chromium/ui/events/gestures/gesture_recognizer_impl.cc
index 8f7bd8ae94c..0420783a582 100644
--- a/chromium/ui/events/gestures/gesture_recognizer_impl.cc
+++ b/chromium/ui/events/gestures/gesture_recognizer_impl.cc
@@ -408,6 +408,18 @@ void GestureRecognizerImpl::OnGestureEvent(GestureConsumer* raw_input_consumer,
   DispatchGestureEvent(raw_input_consumer, event);
 }
 
+void GestureRecognizerImpl::OnGestureProviderAuraWillBeDestroyed(
+    GestureProviderAura* gesture_provider) {
+  // Clean `event_to_gesture_provider_` by removing invalid raw pointers.
+  for (auto iter = event_to_gesture_provider_.begin();
+       iter != event_to_gesture_provider_.end();) {
+    if (iter->second == gesture_provider)
+      iter = event_to_gesture_provider_.erase(iter);
+    else
+      ++iter;
+  }
+}
+
 GestureEventHelper* GestureRecognizerImpl::FindDispatchHelperForConsumer(
     GestureConsumer* consumer) {
   std::vector<GestureEventHelper*>::iterator it;
diff --git a/chromium/ui/events/gestures/gesture_recognizer_impl.h b/chromium/ui/events/gestures/gesture_recognizer_impl.h
index 1baf466eb34..ecb320390b0 100644
--- a/chromium/ui/events/gestures/gesture_recognizer_impl.h
+++ b/chromium/ui/events/gestures/gesture_recognizer_impl.h
@@ -19,6 +19,13 @@
 #include "ui/events/types/event_type.h"
 #include "ui/gfx/geometry/point.h"
 
+namespace aura {
+namespace test {
+FORWARD_DECLARE_TEST(GestureRecognizerTest,
+                     DestroyGestureProviderAuraBeforeAck);
+}  // namespace test
+}  // namespace aura
+
 namespace ui {
 class GestureConsumer;
 class GestureEvent;
@@ -73,6 +80,9 @@ class EVENTS_EXPORT GestureRecognizerImpl : public GestureRecognizer,
                                     GestureConsumer* consumer) override;
 
  private:
+  FRIEND_TEST_ALL_PREFIXES(aura::test::GestureRecognizerTest,
+                           DestroyGestureProviderAuraBeforeAck);
+
   // Sets up the target consumer for gestures based on the touch-event.
   void SetupTargets(const TouchEvent& event, GestureConsumer* consumer);
 
@@ -96,6 +106,8 @@ class EVENTS_EXPORT GestureRecognizerImpl : public GestureRecognizer,
   // Overridden from GestureProviderAuraClient
   void OnGestureEvent(GestureConsumer* raw_input_consumer,
                       GestureEvent* event) override;
+  void OnGestureProviderAuraWillBeDestroyed(
+      GestureProviderAura* gesture_provider) override;
 
   // Convenience method to find the GestureEventHelper that can dispatch events
   // to a specific |consumer|.