Require a process ID when looking up RFHs by FrameTreeNode ID.

content/browser/web_contents/web_contents_impl.cc

Index: content/browser/web_contents/web_contents_impl.cc
diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
index 18572e8f4826a6f64bdc6c2af133abee283e5ab9..0c8f6c41ce7d0cb4d5154590b4d3fd61d0ccd21b 100644
--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc
@@ -915,7 +915,24 @@ RenderFrameHostImpl* WebContentsImpl::GetFocusedFrame() {
 }
 
 RenderFrameHostImpl* WebContentsImpl::FindFrameByFrameTreeNodeId(
+    int frame_tree_node_id,
+    int process_id) {
+  FrameTreeNode* frame = frame_tree_.FindByID(frame_tree_node_id);
+
+  // Sanity check that this is in the caller's expected process. Otherwise a
+  // recent cross-process navigation may have led to a privilege change that the
+  // caller is not expecting.
+  RenderFrameHostImpl* current_frame_host = frame->current_frame_host();
+  if (!frame || current_frame_host->GetProcess()->GetID() != process_id)

[Devlin, 2017/05/02 02:04:29]

If !frame is true, wouldn't we have crashed on line 925?

[Charlie Reis, 2017/05/04 16:29:58]

Ha, yep!  Thanks for catching that.

+    return nullptr;
+
+  return current_frame_host;
+}
+
+RenderFrameHostImpl* WebContentsImpl::UnsafeFindFrameByFrameTreeNodeId(
     int frame_tree_node_id) {
+  // Beware using this! The RenderFrameHost may have changed since the caller
+  // obtained frame_tree_node_id.
   FrameTreeNode* frame = frame_tree_.FindByID(frame_tree_node_id);
   return frame ? frame->current_frame_host() : nullptr;
 }