win: alloy: Fix potential crash if browser creation is aborted (fixes #3862)

magreenblatt · magreenblatt · commit 0bf995ae263e · 2025-03-21T14:31:02.000-04:00
diff --git a/libcef/browser/native/browser_platform_delegate_native_win.cc b/libcef/browser/native/browser_platform_delegate_native_win.cc
@@ -173,10 +173,11 @@ bool CefBrowserPlatformDelegateNativeWin::CreateHostWindow() {
                  window_info_.parent_window, window_info_.menu,
                  ::GetModuleHandle(nullptr), this);
 
-  // It's possible for CreateWindowEx to fail if the parent window was
-  // destroyed between the call to CreateBrowser and the above one.
-  DCHECK(window_info_.window);
-  if (!window_info_.window) {
+  // It's possible for CreateWindowEx to fail if the parent window was destroyed
+  // between the call to CreateBrowser and the above one. It's also possible
+  // that |browser_| will be nullptr if BrowserDestroyed() was called during
+  // this time.
+  if (!window_info_.window || !browser_) {
     return false;
   }
 
@@ -569,10 +570,14 @@ LRESULT CALLBACK CefBrowserPlatformDelegateNativeWin::WndProc(HWND hwnd,
         // Clear the user data pointer.
         gfx::SetWindowUserData(hwnd, nullptr);
 
-        // Force the browser to be destroyed. This will result in a call to
-        // BrowserDestroyed() that will release the reference added in
-        // CreateHostWindow().
-        AlloyBrowserHostImpl::FromBaseChecked(browser)->WindowDestroyed();
+        // |browser| may be nullptr if the window was destroyed during browser
+        // creation (e.g. CreateHostWindow() returned false).
+        if (browser) {
+          // Force the browser to be destroyed. This will result in a call to
+          // BrowserDestroyed() that will release the reference added in
+          // CreateHostWindow().
+          AlloyBrowserHostImpl::FromBaseChecked(browser)->WindowDestroyed();
+        }
       }
       break;
 
