diff options
| author | Keren Zhu <kerenzhu@chromium.org> | 2023-04-24 15:38:57 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-15 11:16:26 +0000 |
| commit | 62a251e1e2ff02547dbc471799264e7d5bf086d9 (patch) | |
| tree | 2ff63f30d7e381e90d1c047bedeb1309313d22d1 | |
| parent | ff7e8305b9839683589048493fb9a9f881bced5c (diff) | |
| download | qtwebengine-chromium-62a251e1e2ff02547dbc471799264e7d5bf086d9.tar.gz | |
[Backport] Security bug 1423360
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4466648:
Fix ScopedObservation UaF in BubbleDialogDelegate::AnchorWidgetObserver
A ScopedObservation can outlive the aura::Window it observes, leading to
a use-after-free error in ~ScopedObservation(). The problem occurs in
BubbleDialogDelegate::AnchorWidgetObserver. This fix listens for
OnWindowDestroying() and resets the observation to prevent the UaF.
(cherry picked from commit 72bd6a1018548ee63a2ec06d6c7714d3a8cdf8a8)
Bug: 1423360
Change-Id: I742b4624b2664dea3fd97db7b399fcd15e45c8fe
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4455016
Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
Reviewed-by: Elly Fong-Jones <ellyjones@chromium.org>
Commit-Queue: Keren Zhu <kerenzhu@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1133511}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4466648
Reviewed-by: Allen Bauer <kylixrd@chromium.org>
Cr-Commit-Position: refs/branch-heads/5672@{#868}
Cr-Branched-From: 5f2a72468eda1eb945b3b5a2298b5d1cd678521e-refs/heads/main@{#1121455}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476751
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/ui/views/bubble/bubble_dialog_delegate_view.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chromium/ui/views/bubble/bubble_dialog_delegate_view.cc b/chromium/ui/views/bubble/bubble_dialog_delegate_view.cc index e6fdc8f2583..0fbea4850cf 100644 --- a/chromium/ui/views/bubble/bubble_dialog_delegate_view.cc +++ b/chromium/ui/views/bubble/bubble_dialog_delegate_view.cc @@ -319,6 +319,13 @@ class BubbleDialogDelegate::AnchorWidgetObserver : public WidgetObserver, owner_->OnAnchorBoundsChanged(); } } + + // If the native window is closed by the OS, OnWidgetDestroying() won't + // fire. Instead, OnWindowDestroying() will fire before aura::Window + // destruction. See //docsg/chromium/ui/views/widget_destruction.md. + void OnWindowDestroying(aura::Window* window) override { + window_observation_.Reset(); + } #endif private: |