chore: cherry-pick 42e15c2055c4 from chromium (#36577)

* chore: [20-x-y] cherry-pick 42e15c2055c4 from chromium

* chore: update patches

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
Co-authored-by: electron-patch-conflict-fixer[bot] <83340002+electron-patch-conflict-fixer[bot]@users.noreply.github.com>

patches/chromium/.patches

@@ -152,6 +152,7 @@ cherry-pick-2ef09109c0ec.patch
 cherry-pick-f98adc846aad.patch
 cherry-pick-eed5a4de2c40.patch
 cherry-pick-d1d654d73222.patch
+cherry-pick-42e15c2055c4.patch
 cherry-pick-77208afba04d.patch
 mojo_disable_sync_call_interrupts_in_the_browser.patch
 mojo_validate_that_a_message_is_allowed_to_use_the_sync_flag.patch

patches/chromium/cherry-pick-42e15c2055c4.patch

@@ -0,0 +1,115 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Joey Arhar <[email protected]>
+Date: Tue, 22 Nov 2022 00:12:31 +0000
+Subject: Avoid use-after-free in ValidationMessageOverlayDelegate
+
+When ValidationMessageOverlayDelegate calls
+ForceSynchronousDocumentInstall, it can somehow cause another validation
+overlay to be created and delete the ValidationMessageOverlayDelegate.
+This patch avoids additional code from being run inside the deleted
+ValidationMessageOverlayDelegate.
+
+(cherry picked from commit a37b66ded21af7ff1442bddd2ec3a0845535b3d6)
+
+Fixed: 1382581
+Change-Id: I044f91ecb55c77c4a5c40030b6856fc9a8ac7f6f
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4019655
+Reviewed-by: David Baron <[email protected]>
+Commit-Queue: Joey Arhar <[email protected]>
+Cr-Original-Commit-Position: refs/heads/main@{#1071652}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4043489
+Commit-Queue: David Baron <[email protected]>
+Auto-Submit: Joey Arhar <[email protected]>
+Cr-Commit-Position: refs/branch-heads/5359@{#911}
+Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
+
+diff --git a/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc b/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc
+index 33575769b1fa9361c91d27815832f467f7a7f19c..a8a1df886fd8accfdf9fcf9d06ba24e11f16293a 100644
+--- a/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc
++++ b/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc
+@@ -85,6 +85,8 @@ ValidationMessageOverlayDelegate::~ValidationMessageOverlayDelegate() {
+     EventDispatchForbiddenScope::AllowUserAgentEvents allow_events;
+     page_->WillBeDestroyed();
+   }
++  if (destroyed_ptr_)
++    *destroyed_ptr_ = true;
+ }
+ 
+ LocalFrameView& ValidationMessageOverlayDelegate::FrameView() const {
+@@ -175,7 +177,18 @@ void ValidationMessageOverlayDelegate::CreatePage(const FrameOverlay& overlay) {
+   WriteDocument(data.get());
+   float zoom_factor = anchor_->GetDocument().GetFrame()->PageZoomFactor();
+   frame->SetPageZoomFactor(zoom_factor);
++
++  // ForceSynchronousDocumentInstall can cause another call to
++  // ValidationMessageClientImpl::ShowValidationMessage, which will hide this
++  // validation message and may even delete this. In order to avoid continuing
++  // when this is destroyed, |destroyed| will be set to true in the destructor.
++  bool destroyed = false;
++  DCHECK(!destroyed_ptr_);
++  destroyed_ptr_ = &destroyed;
+   frame->ForceSynchronousDocumentInstall("text/html", data);
++  if (destroyed)
++    return;
++  destroyed_ptr_ = nullptr;
+ 
+   Element& main_message = GetElementById("main-message");
+   main_message.setTextContent(message_);
+diff --git a/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h b/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h
+index 9db786a4fbd12bc6aeefc520143f872965ad7df8..26e96d8ffad11938dcc3dc5b059f2c7ebf077b94 100644
+--- a/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h
++++ b/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h
+@@ -72,6 +72,10 @@ class CORE_EXPORT ValidationMessageOverlayDelegate
+   String sub_message_;
+   TextDirection message_dir_;
+   TextDirection sub_message_dir_;
++
++  // Used by CreatePage() to determine if this has been deleted in the middle of
++  // the function.
++  bool* destroyed_ptr_ = nullptr;
+ };
+ 
+ }  // namespace blink
+diff --git a/third_party/blink/web_tests/external/wpt/html/semantics/forms/constraints/reportValidity-crash.html b/third_party/blink/web_tests/external/wpt/html/semantics/forms/constraints/reportValidity-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..d6bab924adc9fb481235af10d706cbf4d4ef2df9
+--- /dev/null
++++ b/third_party/blink/web_tests/external/wpt/html/semantics/forms/constraints/reportValidity-crash.html
+@@ -0,0 +1,37 @@
++<!DOCTYPE html>
++<html>
++
++<head>
++<script>
++Object.prototype.__defineGetter__('then', prom);
++var prom_count = 0;
++function prom() {
++prom_count++;
++if (prom_count > 2) return;
++var v14 = x37.animate({},100);
++v14.reverse();
++v14.ready;
++v14.currentTime = 0;
++x57.reportValidity();
++}
++function f0() {
++var v38 = x37.animate({},300);
++v38.ready;
++x57.prepend(x78);
++}
++function f1() {
++var x57 = document.getElementById("x57");
++x57.disabled = false;
++}
++</script>
++</head>
++
++<body>
++<fieldset id="x37">
++<canvas onfocusin="f0()" >
++<input id="x78" autofocus=""  onfocusout="f1()" >
++</canvas>
++<select id="x57" disabled=""  required=""></select>
++</body>
++
++</html>