From 96404f1fd99ee958a840936f618b143b121726b7 Mon Sep 17 00:00:00 2001
From: Marshall Greenblatt <magreenblatt@gmail.com>
Date: Mon, 22 Mar 2021 19:44:42 -0400
Subject: [PATCH] Revert "Fix potential use-after-free of V8TrackArrayBuffer
 (fixes issue #3074)"

This reverts commit 64a1612b70f806bccf6d2d70efab7ade9157b25f.
---
 libcef/renderer/v8_impl.cc | 28 ++++++----------------------
 1 file changed, 6 insertions(+), 22 deletions(-)

diff --git a/libcef/renderer/v8_impl.cc b/libcef/renderer/v8_impl.cc
index 27a250c2b..fd879fa79 100644
--- a/libcef/renderer/v8_impl.cc
+++ b/libcef/renderer/v8_impl.cc
@@ -322,8 +322,7 @@ class V8TrackArrayBuffer : public CefTrackNode {
       CefRefPtr<CefV8ArrayBufferReleaseCallback> release_callback)
       : isolate_(isolate),
         buffer_(buffer),
-        release_callback_(release_callback),
-        weak_ptr_factory_(this) {
+        release_callback_(release_callback) {
     DCHECK(isolate_);
     isolate_->AdjustAmountOfExternalAllocatedMemory(
         static_cast<int>(sizeof(V8TrackArrayBuffer)));
@@ -366,16 +365,10 @@ class V8TrackArrayBuffer : public CefTrackNode {
     return nullptr;
   }
 
-  base::WeakPtr<V8TrackArrayBuffer> GetWeakPtr() const {
-    return weak_ptr_factory_.GetWeakPtr();
-  }
-
  private:
   v8::Isolate* isolate_;
   void* buffer_;
   CefRefPtr<CefV8ArrayBufferReleaseCallback> release_callback_;
-
-  base::WeakPtrFactory<V8TrackArrayBuffer> weak_ptr_factory_;
 };
 
 // Object wrapped in a v8::External and passed as the Data argument to
@@ -1423,24 +1416,15 @@ CefRefPtr<CefV8Value> CefV8Value::CreateArrayBuffer(
   V8TrackArrayBuffer* tracker =
       new V8TrackArrayBuffer(isolate, buffer, release_callback);
 
-  struct WeakPtrWrapper {
-    WeakPtrWrapper(V8TrackArrayBuffer* tracker) {
-      weak_ptr_ = tracker->GetWeakPtr();
-    }
-    base::WeakPtr<V8TrackArrayBuffer> weak_ptr_;
-  };
-
   auto deleter = [](void* data, size_t length, void* deleter_data) {
-    auto* wrapper = reinterpret_cast<WeakPtrWrapper*>(deleter_data);
-    if (wrapper) {
-      if (wrapper->weak_ptr_)
-        wrapper->weak_ptr_->ReleaseBuffer();
-      delete wrapper;
+    auto* tracker = reinterpret_cast<V8TrackArrayBuffer*>(deleter_data);
+    if (tracker) {
+      tracker->ReleaseBuffer();
     }
   };
 
-  std::unique_ptr<v8::BackingStore> backing = v8::ArrayBuffer::NewBackingStore(
-      buffer, length, deleter, new WeakPtrWrapper(tracker));
+  std::unique_ptr<v8::BackingStore> backing =
+      v8::ArrayBuffer::NewBackingStore(buffer, length, deleter, tracker);
   v8::Local<v8::ArrayBuffer> ab =
       v8::ArrayBuffer::New(isolate, std::move(backing));