[Backport] CVE-2023-0703: Type Confusion in DevTools

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4183821: Check arguments type in DevToolsHost.showContextMenuAtPoint (cherry picked from commit 954e76692edf965e588ee80350c20ad403f82ea0) Bug: 1405574 Change-Id: Id06637839096402e05a2278b06f2f84b3037e21d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4165089 Auto-Submit: Danil Somsikov <dsv@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1093205} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4183821 Cr-Commit-Position: refs/branch-heads/5481@{#498} Cr-Branched-From: 130f3e4d850f4bc7387cfb8d08aa993d288a67a9-refs/heads/main@{#1084008} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460495 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Danil Somsikov <dsv@chromium.org> 2023-01-20 15:04:49 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2023-02-15 14:00:42 +0000
commit: f40ad614a15a5f2a93eb42f3e21940a0957ac2d3 (patch)
tree: f8f3a1de5b935b6a8e91592bf3f054d073e1351e
parent: 098ae23e11e8948640e7003a29fd6a137a3525e4 (diff)
download: qtwebengine-chromium-f40ad614a15a5f2a93eb42f3e21940a0957ac2d3.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc b/chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc
index 1b58cf41d25..0732e2d0cef 100644
--- a/chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc
+++ b/chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc
@@ -65,8 +65,13 @@ static bool PopulateContextMenuItems(v8::Isolate* isolate,
                                      std::vector<MenuItemInfo>& items) {
   v8::Local<v8::Context> context = isolate->GetCurrentContext();
   for (uint32_t i = 0; i < item_array->Length(); ++i) {
-    v8::Local<v8::Object> item =
-        item_array->Get(context, i).ToLocalChecked().As<v8::Object>();
+    v8::Local<v8::Value> item_value =
+        item_array->Get(context, i).ToLocalChecked();
+    if (!item_value->IsObject()) {
+      return false;
+    }
+    v8::Local<v8::Object> item = item_value.As<v8::Object>();
+
     v8::Local<v8::Value> type;
     v8::Local<v8::Value> id;
     v8::Local<v8::Value> label;
author	Danil Somsikov <dsv@chromium.org>	2023-01-20 15:04:49 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2023-02-15 14:00:42 +0000
commit	f40ad614a15a5f2a93eb42f3e21940a0957ac2d3 (patch)
tree	f8f3a1de5b935b6a8e91592bf3f054d073e1351e
parent	098ae23e11e8948640e7003a29fd6a137a3525e4 (diff)
download	qtwebengine-chromium-f40ad614a15a5f2a93eb42f3e21940a0957ac2d3.tar.gz