chore: cherry-pick 3ca3d70c7af5 from chromium (#27388)

* chore: cherry-pick 3ca3d70c7af5 from chromium

* update patches

Co-authored-by: Shelley Vohr <[email protected]>

patches/chromium/.patches

@@ -166,6 +166,7 @@ only_zero_out_cross-origin_audio_that_doesn_t_get_played_out.patch
 fix_setparentacessibile_crash_win.patch
 backport_1142331.patch
 backport_1151865.patch
+cherry-pick-3ca3d70c7af5.patch
 cherry-pick-861253f1de98.patch
 cherry-pick-d866af575997.patch
 mojo_fix_uaf_on_nodechannel.patch

patches/chromium/cherry-pick-3ca3d70c7af5.patch

@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yuri Wiitala <[email protected]>
+Date: Thu, 10 Dec 2020 18:07:39 +0000
+Subject: Minor UI logic changes to prevent a UAF bug when starting tab
+ capture.
+
+See discussion in crbug 1155426 for details. Changes:
+
+MediaStreamCaptureIndicator::UIDelegate: Ignore multiple calls to
+OnStarted().
+
+TabSharingUIViews: Unconditionally execute clean-up tasks in destructor.
+
+Bug: 1155426
+Change-Id: I392fba38118ce51744ba36b4dec19ebfe39f1fbe
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2581028
+Reviewed-by: Guido Urdaneta <[email protected]>
+Reviewed-by: Marina Ciocea <[email protected]>
+Commit-Queue: Yuri Wiitala <[email protected]>
+Cr-Commit-Position: refs/heads/master@{#835736}
+
+diff --git a/chrome/browser/media/webrtc/media_stream_capture_indicator.cc b/chrome/browser/media/webrtc/media_stream_capture_indicator.cc
+index 8e353fba8ffcd9724252be114e2d621ce3788068..418419abd04c258eedc100a56c1b056503af1a8c 100644
+--- a/chrome/browser/media/webrtc/media_stream_capture_indicator.cc
++++ b/chrome/browser/media/webrtc/media_stream_capture_indicator.cc
+@@ -185,7 +185,12 @@ class MediaStreamCaptureIndicator::UIDelegate : public content::MediaStreamUI {
+   gfx::NativeViewId OnStarted(
+       base::OnceClosure stop_callback,
+       content::MediaStreamUI::SourceCallback source_callback) override {
+-    DCHECK(!started_);
++    if (started_) {
++      // Ignore possibly-compromised renderers that might call
++      // MediaStreamDispatcherHost::OnStreamStarted() more than once.
++      // See: https://crbug.com/1155426
++      return 0;
++    }
+     started_ = true;
+ 
+     if (device_usage_) {
+diff --git a/chrome/browser/ui/views/tab_sharing/tab_sharing_ui_views.cc b/chrome/browser/ui/views/tab_sharing/tab_sharing_ui_views.cc
+index 1582ccedd3fac5368e7adf94ec222e5d85b18aab..35e4f3e93c41f52fb50599da4050c0f3c25dd0d4 100644
+--- a/chrome/browser/ui/views/tab_sharing/tab_sharing_ui_views.cc
++++ b/chrome/browser/ui/views/tab_sharing/tab_sharing_ui_views.cc
+@@ -134,8 +134,10 @@ TabSharingUIViews::TabSharingUIViews(const content::DesktopMediaID& media_id,
+ }
+ 
+ TabSharingUIViews::~TabSharingUIViews() {
+-  if (!infobars_.empty())
+-    StopSharing();
++  // Unconditionally call StopSharing(), to ensure all clean-up has been
++  // performed if tasks race (e.g., OnStarted() is called after
++  // OnInfoBarRemoved()). See: https://crbug.com/1155426
++  StopSharing();
+ }
+ 
+ gfx::NativeViewId TabSharingUIViews::OnStarted(