diff options
author | Jaroslav Sevcik <jarin@chromium.org> | 2022-11-29 05:29:05 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-12-22 08:18:05 +0000 |
commit | b96b8e2381b86fecf1ded92eaafcce181262e365 (patch) | |
tree | fb62ca121581af46e7f5bb1d868abc2a037ffc91 | |
parent | 1e71f2b08e4b7bfd68a03717e2de7dfdb65996fe (diff) | |
download | qtwebengine-chromium-b96b8e2381b86fecf1ded92eaafcce181262e365.tar.gz |
[Backport] CVE-2022-4438: Use after free in Blink Frames
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4055626:
Make WidgetBase::BeginMainFrame resilient to disposed 'this'
This patch makes sure that WidgetBase::BeginMainFrame can finish
execution even if processing the RAF-throttled handlers
(DispatchRafAlignedInput) destroys 'this' instance.
(cherry picked from commit af6e22c14bec7ad64115b24ece6d423f144214ca)
Bug: chromium:1381871
Change-Id: I81aa4ba697f80f8666bb2a3b5542cac210b1efa9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4030809
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1072864}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4055626
Auto-Submit: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/5414@{#279}
Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/449910
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/platform/widget/widget_base.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/platform/widget/widget_base.cc b/chromium/third_party/blink/renderer/platform/widget/widget_base.cc index aeeda2d1fb0..314be9dcd0a 100644 --- a/chromium/third_party/blink/renderer/platform/widget/widget_base.cc +++ b/chromium/third_party/blink/renderer/platform/widget/widget_base.cc @@ -845,8 +845,14 @@ void WidgetBase::BeginMainFrame(base::TimeTicks frame_time) { if (ShouldRecordBeginMainFrameMetrics()) { raf_aligned_input_start_time = base::TimeTicks::Now(); } + + auto weak_this = weak_ptr_factory_.GetWeakPtr(); widget_input_handler_manager_->input_event_queue()->DispatchRafAlignedInput( frame_time); + // DispatchRafAlignedInput could have detached the frame. + if (!weak_this) + return; + if (ShouldRecordBeginMainFrameMetrics()) { client_->RecordDispatchRafAlignedInputTime(raf_aligned_input_start_time); } |