diff options
| author | kylechar <kylechar@chromium.org> | 2023-02-28 21:02:51 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:57:54 +0000 |
| commit | ee3b4cdf2ea07ba6804f997b0dd7d3f99abf7b83 (patch) | |
| tree | b7d58c9b18316c5528db45b1d7954269933b15a0 | |
| parent | b5e07b716d76419a02dde9827f367500d686760b (diff) | |
| download | qtwebengine-chromium-ee3b4cdf2ea07ba6804f997b0dd7d3f99abf7b83.tar.gz | |
[Backport] CVE-2023-1810: Heap buffer overflow in Visuals
Cherry-pick of patch originallt reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4298330:
Add CHECKs in HostFrameSinkManager
It looks like it's possible for a compromised renderer to get multiple
things to register the same FrameSinkId with HostFrameSinkManager. This
violates assumptions around ownership so turn DCHECKs here into CHECKs.
Also convert DCHECKs into CHECKs for registering/unregistering frame
sink hierarchy just in case.
(cherry picked from commit a707ac2d95e4726f4cf0267c9b0c038926c2a691)
Bug: 1414018
Change-Id: If948e758a8484024666f4066360620bc3a9cb493
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4283141
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: Jonathan Ross <jonross@chromium.org>
Commit-Queue: Kyle Charbonneau <kylechar@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1109533}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4298330
Cr-Commit-Position: refs/branch-heads/5615@{#69}
Cr-Branched-From: 9c6408ef696e83a9936b82bbead3d41c93c82ee4-refs/heads/main@{#1109224}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474363
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/components/viz/host/host_frame_sink_manager.cc | 17 | ||||
| -rw-r--r-- | chromium/components/viz/service/frame_sinks/frame_sink_manager_impl.cc | 2 |
2 files changed, 10 insertions, 9 deletions
diff --git a/chromium/components/viz/host/host_frame_sink_manager.cc b/chromium/components/viz/host/host_frame_sink_manager.cc index e74e4b93c8d..df5f885ee5c 100644 --- a/chromium/components/viz/host/host_frame_sink_manager.cc +++ b/chromium/components/viz/host/host_frame_sink_manager.cc @@ -68,7 +68,7 @@ void HostFrameSinkManager::RegisterFrameSinkId( DCHECK(client); FrameSinkData& data = frame_sink_data_map_[frame_sink_id]; - DCHECK(!data.IsFrameSinkRegistered()); + CHECK(!data.IsFrameSinkRegistered()); DCHECK(!data.has_created_compositor_frame_sink); data.client = client; data.report_activation = report_activation; @@ -87,7 +87,7 @@ void HostFrameSinkManager::InvalidateFrameSinkId( DCHECK(frame_sink_id.is_valid()); FrameSinkData& data = frame_sink_data_map_[frame_sink_id]; - DCHECK(data.IsFrameSinkRegistered()); + CHECK(data.IsFrameSinkRegistered()); const bool destroy_synchronously = data.has_created_compositor_frame_sink && data.wait_on_destruction; @@ -230,14 +230,14 @@ bool HostFrameSinkManager::RegisterFrameSinkHierarchy( return false; } + FrameSinkData& parent_data = iter->second; + CHECK(!base::Contains(parent_data.children, child_frame_sink_id)); + parent_data.children.push_back(child_frame_sink_id); + // Register and store the parent. frame_sink_manager_->RegisterFrameSinkHierarchy(parent_frame_sink_id, child_frame_sink_id); - FrameSinkData& parent_data = iter->second; - DCHECK(!base::Contains(parent_data.children, child_frame_sink_id)); - parent_data.children.push_back(child_frame_sink_id); - return true; } @@ -246,8 +246,9 @@ void HostFrameSinkManager::UnregisterFrameSinkHierarchy( const FrameSinkId& child_frame_sink_id) { // Unregister and clear the stored parent. FrameSinkData& parent_data = frame_sink_data_map_[parent_frame_sink_id]; - DCHECK(base::Contains(parent_data.children, child_frame_sink_id)); - base::Erase(parent_data.children, child_frame_sink_id); + size_t num_erased = base::Erase(parent_data.children, child_frame_sink_id); + CHECK_EQ(num_erased, 1u); + if (parent_data.IsEmpty()) frame_sink_data_map_.erase(parent_frame_sink_id); diff --git a/chromium/components/viz/service/frame_sinks/frame_sink_manager_impl.cc b/chromium/components/viz/service/frame_sinks/frame_sink_manager_impl.cc index 7c25edc4337..20fa10b1e81 100644 --- a/chromium/components/viz/service/frame_sinks/frame_sink_manager_impl.cc +++ b/chromium/components/viz/service/frame_sinks/frame_sink_manager_impl.cc @@ -284,7 +284,7 @@ void FrameSinkManagerImpl::UnregisterFrameSinkHierarchy( } auto iter = frame_sink_source_map_.find(parent_frame_sink_id); - DCHECK(iter != frame_sink_source_map_.end()); + CHECK(iter != frame_sink_source_map_.end()); // Remove |child_frame_sink_id| from parents list of children. auto& mapping = iter->second; |