From 9972476f5da06398fca5fda7d0eaf20df28dc0b5 Mon Sep 17 00:00:00 2001
From: xurui <xurui115@h-partners.com>
Date: Tue, 21 Nov 2023 00:50:25 -0500
Subject: [PATCH] =?UTF-8?q?fixed=205e79624=20from=20https://gitee.com/clea?=
 =?UTF-8?q?r=5Faddr/chromium=5Fthird=5Fparty/pulls/79=20fixed=202175b2b=20?=
 =?UTF-8?q?from=20https://gitee.com/clear=5Faddr/chromium=5Fthird=5Fparty/?=
 =?UTF-8?q?pulls/55=20=E4=BF=AE=E5=A4=8DCVE-2023-5997?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: xurui <xurui115@h-partners.com>
---
 blink/renderer/core/fetch/body.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/blink/renderer/core/fetch/body.cc b/blink/renderer/core/fetch/body.cc
index fc3ae8fa4..59e151e3a 100644
--- a/blink/renderer/core/fetch/body.cc
+++ b/blink/renderer/core/fetch/body.cc
@@ -118,8 +118,13 @@ class BodyFormDataConsumer final : public BodyConsumerBase {
 
   void DidFetchDataLoadedString(const String& string) override {
     auto* formData = MakeGarbageCollected<FormData>();
-    for (const auto& pair : URLSearchParams::Create(string)->Params())
+    // URLSearchParams::Create() returns an on-heap object, but it can be
+    // garbage collected, so making it a persistent variable on the stack
+    // mitigates use-after-free scenarios. See crbug.com/1497997.
+    Persistent<URLSearchParams> search_params = URLSearchParams::Create(string);
+    for (const auto& pair : search_params->Params()) {
       formData->append(pair.first, pair.second);
+    }
     DidFetchDataLoadedFormData(formData);
   }
 };
-- 
Gitee