Fix use after free in permission grant

The permission grant can become dangling pointer in
origin state struct, fix it.

Pick-to: 6.5 6.4
Change-Id: If16b604a8c3c05d09ea923251dabcae73192dd7d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

4 files changed, 29 insertions, 2 deletions

diff --git a/src/core/file_system_access/file_system_access_permission_context_qt.cpp b/src/core/file_system_access/file_system_access_permission_context_qt.cpp
index bc88f7898..2fd710ad6 100644
--- a/src/core/file_system_access/file_system_access_permission_context_qt.cpp
+++ b/src/core/file_system_access/file_system_access_permission_context_qt.cpp
@@ -453,4 +453,22 @@ std::u16string FileSystemAccessPermissionContextQt::GetPickerTitle(const blink::
     return {};
 }
 
+void FileSystemAccessPermissionContextQt::PermissionGrantDestroyed(
+        FileSystemAccessPermissionGrantQt *grant)
+{
+    auto it = m_origins.find(grant->origin());
+    if (it == m_origins.end())
+        return;
+
+    auto &grants =
+            grant->type() == GrantType::kRead ? it->second.read_grants : it->second.write_grants;
+    auto grant_it = grants.find(grant->path());
+
+    if (grant_it == grants.end()) {
+        return;
+    }
+    if (grant_it->second == grant)
+        grants.erase(grant_it);
+}
+
 } // namespace QtWebEngineCore
diff --git a/src/core/file_system_access/file_system_access_permission_context_qt.h b/src/core/file_system_access/file_system_access_permission_context_qt.h
index 29fefee24..09e890038 100644
--- a/src/core/file_system_access/file_system_access_permission_context_qt.h
+++ b/src/core/file_system_access/file_system_access_permission_context_qt.h
@@ -19,7 +19,7 @@ class BrowserContext;
 }
 
 namespace QtWebEngineCore {
-
+class FileSystemAccessPermissionGrantQt;
 class FileSystemAccessPermissionContextQt : public content::FileSystemAccessPermissionContext,
                                             public KeyedService
 {
@@ -56,6 +56,8 @@ public:
     void NavigatedAwayFromOrigin(const url::Origin &origin);
     content::BrowserContext *profile() const { return m_profile; }
 
+    void PermissionGrantDestroyed(FileSystemAccessPermissionGrantQt *);
+
 private:
     class PermissionGrantImpl;
 
diff --git a/src/core/file_system_access/file_system_access_permission_grant_qt.cpp b/src/core/file_system_access/file_system_access_permission_grant_qt.cpp
index 8999bf850..67fa1c8cf 100644
--- a/src/core/file_system_access/file_system_access_permission_grant_qt.cpp
+++ b/src/core/file_system_access/file_system_access_permission_grant_qt.cpp
@@ -22,7 +22,11 @@ FileSystemAccessPermissionGrantQt::FileSystemAccessPermissionGrantQt(
     : m_context(context), m_origin(origin), m_path(path), m_handleType(handle_type), m_type(type)
 {
 }
-
+FileSystemAccessPermissionGrantQt::~FileSystemAccessPermissionGrantQt()
+{
+    if (m_context)
+        m_context->PermissionGrantDestroyed(this);
+}
 void FileSystemAccessPermissionGrantQt::RequestPermission(
         content::GlobalRenderFrameHostId frame_id, UserActivationState user_activation_state,
         base::OnceCallback<void(PermissionRequestOutcome)> callback)
diff --git a/src/core/file_system_access/file_system_access_permission_grant_qt.h b/src/core/file_system_access/file_system_access_permission_grant_qt.h
index 1984b8f2c..829d2b889 100644
--- a/src/core/file_system_access/file_system_access_permission_grant_qt.h
+++ b/src/core/file_system_access/file_system_access_permission_grant_qt.h
@@ -36,6 +36,9 @@ public:
 
     void SetStatus(blink::mojom::PermissionStatus status);
 
+protected:
+    ~FileSystemAccessPermissionGrantQt() override;
+
 private:
     void OnPermissionRequestResult(base::OnceCallback<void(PermissionRequestOutcome)> callback,
                                    permissions::PermissionAction result);