Fix use-after-free when navigating a subframe to about:blank.

content/renderer/render_frame_impl.cc

Index: content/renderer/render_frame_impl.cc
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index ec975b5e8bd90cff456118229e8b216f512d2e6c..91482c17b7de7762f1547fd5992fc158bd976691 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -5501,9 +5501,18 @@ void RenderFrameImpl::NavigateInternal(
                   item_for_history_navigation, history_load_type,
                   is_client_redirect);
     } else {
+      // The load of the URL can result in this frame being removed. Use a
+      // WeakPtr as an easy way to detect whether this has occured. If so, this
+      // method should return immediately and not touch any part of the object,
+      // otherwise it will result in a use-after-free bug.
+      base::WeakPtr<RenderFrameImpl> weak_this = weak_factory_.GetWeakPtr();
+
       // Load the request.
       frame_->load(request, load_type, item_for_history_navigation,
                    history_load_type, is_client_redirect);
+
+      if (!weak_this)
+        return;
     }
   } else {
     // The browser expects the frame to be loading this navigation. Inform it