diff options
| author | Yoshisato Yanagisawa <yyanagisawa@chromium.org> | 2023-04-26 10:33:18 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:59:46 +0000 |
| commit | 786227abddd592046828996a06d0f2bb5541e960 (patch) | |
| tree | 504d419b00fca70609eaabcf3ffaead07aa1851c | |
| parent | b2e45eb044ca9ca6f95282904e88f0820493386d (diff) | |
| download | qtwebengine-chromium-786227abddd592046828996a06d0f2bb5541e960.tar.gz | |
[Backport] CVE-2023-2134: Out of bounds memory access in Service Worker API
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4406580:
Stop supporting { handleEvent }.
M108 merge issues:
content_unittests_bundle_data.filelist:
Not present in 108, skipped; Only used in iOS tests on main
Make the code aligned with the following specification update:
https://github.com/w3c/ServiceWorker/pull/1676
With the previous specification and code, event listener vector
can be modified during the GetEffectiveFunction execution, which may
bring unexpected vector state.
(cherry picked from commit 5105ce37a6853d52ec97894bf6969b3c29a23afd)
Change-Id: I732c4c9ab2caebc49a7f4ef52640df7b8476d838
Bug: 1429201
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4394402
Commit-Queue: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1126483}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4406580
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Cr-Commit-Position: refs/branch-heads/5359@{#1449}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474621
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc index b3a9f691a0f..9523aa1ee53 100644 --- a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc +++ b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc @@ -2604,7 +2604,7 @@ ServiceWorkerGlobalScope::FetchHandlerType() { } ScriptState* script_state = ScriptController()->GetScriptState(); - // Do not remove this, |scope| is needed by `GetEffectiveFunction`. + // Do not remove this, |scope| is needed by `GetListenerObject`. ScriptState::Scope scope(script_state); // TODO(crbug.com/1349613): revisit the way to implement this. @@ -2612,8 +2612,8 @@ ServiceWorkerGlobalScope::FetchHandlerType() { for (RegisteredEventListener& e : *elv) { EventTarget* et = EventTarget::Create(script_state); v8::Local<v8::Value> v = - To<JSBasedEventListener>(e.Callback())->GetEffectiveFunction(*et); - if (!v->IsFunction() || + To<JSBasedEventListener>(e.Callback())->GetListenerObject(*et); + if (v.IsEmpty() || !v->IsFunction() || !v.As<v8::Function>()->Experimental_IsNopFunction()) { return mojom::blink::ServiceWorkerFetchHandlerType::kNotSkippable; } |