summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrandon Jones <bajones@chromium.org>2022-12-07 01:45:54 +0000
committerMichael BrĂ¼ning <michael.bruning@qt.io>2023-02-15 14:01:04 +0000
commit50767ed3f44a7de92913cf505547a8863f4d667c (patch)
tree21458bfa40428f121a43ada438d5f808f89d88d7
parent3eaa40d1f8a90e18e2ddb6d8a677b42652e489bc (diff)
downloadqtwebengine-chromium-50767ed3f44a7de92913cf505547a8863f4d667c.tar.gz
[Backport] CVE-2023-0699: Use after free in GPU (2/2)
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4083922: Clear data if GetBucketContents early terminates Follow up to https://chromium-review.googlesource.com/c/chromium/src/+/4076865 Bug: 1371859 Change-Id: I33dbcd6e7e8094d44fe3d7623dc9c152224342e2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4083922 Commit-Queue: Brandon Jones <bajones@chromium.org> Reviewed-by: Victor Miura <vmiura@chromium.org> Cr-Commit-Position: refs/heads/main@{#1080121} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460498 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat
-rw-r--r--chromium/gpu/command_buffer/client/implementation_base.cc1
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/gpu/command_buffer/client/implementation_base.cc b/chromium/gpu/command_buffer/client/implementation_base.cc
index 8a3aa39c7fc..fc7d4c21447 100644
--- a/chromium/gpu/command_buffer/client/implementation_base.cc
+++ b/chromium/gpu/command_buffer/client/implementation_base.cc
@@ -302,6 +302,7 @@ bool ImplementationBase::GetBucketContents(uint32_t bucket_id,
helper_->GetBucketData(bucket_id, offset, buffer.size(),
buffer.shm_id(), buffer.offset());
if (!WaitForCmd()) {
+ data->clear();
return false;
}
}
View Lorry Controller Status