diff options
author | Brandon Jones <bajones@chromium.org> | 2022-12-07 01:45:54 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-02-15 14:01:04 +0000 |
commit | 50767ed3f44a7de92913cf505547a8863f4d667c (patch) | |
tree | 21458bfa40428f121a43ada438d5f808f89d88d7 | |
parent | 3eaa40d1f8a90e18e2ddb6d8a677b42652e489bc (diff) | |
download | qtwebengine-chromium-50767ed3f44a7de92913cf505547a8863f4d667c.tar.gz |
[Backport] CVE-2023-0699: Use after free in GPU (2/2)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4083922:
Clear data if GetBucketContents early terminates
Follow up to
https://chromium-review.googlesource.com/c/chromium/src/+/4076865
Bug: 1371859
Change-Id: I33dbcd6e7e8094d44fe3d7623dc9c152224342e2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4083922
Commit-Queue: Brandon Jones <bajones@chromium.org>
Reviewed-by: Victor Miura <vmiura@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1080121}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460498
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/gpu/command_buffer/client/implementation_base.cc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/chromium/gpu/command_buffer/client/implementation_base.cc b/chromium/gpu/command_buffer/client/implementation_base.cc index 8a3aa39c7fc..fc7d4c21447 100644 --- a/chromium/gpu/command_buffer/client/implementation_base.cc +++ b/chromium/gpu/command_buffer/client/implementation_base.cc @@ -302,6 +302,7 @@ bool ImplementationBase::GetBucketContents(uint32_t bucket_id, helper_->GetBucketData(bucket_id, offset, buffer.size(), buffer.shm_id(), buffer.offset()); if (!WaitForCmd()) { + data->clear(); return false; } } |