diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-01 15:56:16 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-03-29 10:19:55 +0000 |
commit | a5f2293e6c2b5218875806626bee683e0501c179 (patch) | |
tree | 2e16c6cb89e72f77bc97749c2ebb141a9bda8ee8 | |
parent | a66d35344003ee19ac70181b7a2233fd387f9da3 (diff) | |
download | qtwebengine-chromium-a5f2293e6c2b5218875806626bee683e0501c179.tar.gz |
[Backport] Fix for CVE-2019-5758
Fix UAP in ImageBitmapLoader/FileReaderLoader
FileReaderLoader stores its client as a raw pointer, so in cases like
ImageBitmapLoader where the FileReaderLoaderClient really is garbage
collected we have to make sure to destroy the FileReaderLoader when
the ExecutionContext that owns it is destroyed.
TBR=mek@chromium.org
(cherry picked from commit 419c4bfbfb94849ed30dcab7c3aaf67afe238b27)
Bug: 913970
Change-Id: I40b02115367cf7bf5bbbbb8e9b57874d2510f861
Reviewed-on: https://chromium-review.googlesource.com/c/1374511
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#616342}
Reviewed-on: https://chromium-review.googlesource.com/c/1379106
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#368}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp | 24 | ||||
-rw-r--r-- | chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h | 9 |
2 files changed, 27 insertions, 6 deletions
diff --git a/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp b/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp index 90aea4e63d3..fe60624107c 100644 --- a/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp +++ b/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp @@ -204,12 +204,19 @@ void ImageBitmapFactories::didFinishLoading(ImageBitmapLoader* loader) { m_pendingLoaders.remove(loader); } +DEFINE_TRACE(ImageBitmapFactories) { + visitor->trace(m_pendingLoaders); + Supplement<LocalDOMWindow>::trace(visitor); + Supplement<WorkerGlobalScope>::trace(visitor); +} + ImageBitmapFactories::ImageBitmapLoader::ImageBitmapLoader( ImageBitmapFactories& factory, Optional<IntRect> cropRect, ScriptState* scriptState, const ImageBitmapOptions& options) - : m_loader( + : ContextLifecycleObserver(scriptState->getExecutionContext()), + m_loader( FileReaderLoader::create(FileReaderLoader::ReadAsArrayBuffer, this)), m_factory(&factory), m_resolver(ScriptPromiseResolver::create(scriptState)), @@ -222,20 +229,26 @@ void ImageBitmapFactories::ImageBitmapLoader::loadBlobAsync( m_loader->start(context, blob->blobDataHandle()); } -DEFINE_TRACE(ImageBitmapFactories) { - visitor->trace(m_pendingLoaders); - Supplement<LocalDOMWindow>::trace(visitor); - Supplement<WorkerGlobalScope>::trace(visitor); +ImageBitmapFactories::ImageBitmapLoader::~ImageBitmapLoader() { + DCHECK(!m_loader); } void ImageBitmapFactories::ImageBitmapLoader::rejectPromise() { m_resolver->reject(DOMException::create( InvalidStateError, "The source image cannot be decoded.")); + m_loader.reset(); m_factory->didFinishLoading(this); } +void ImageBitmapFactories::ImageBitmapLoader::contextDestroyed() { + if (m_loader) + m_factory->didFinishLoading(this); + m_loader.reset(); +} + void ImageBitmapFactories::ImageBitmapLoader::didFinishLoading() { DOMArrayBuffer* arrayBuffer = m_loader->arrayBufferResult(); + m_loader.reset(); if (!arrayBuffer) { rejectPromise(); return; @@ -318,6 +331,7 @@ void ImageBitmapFactories::ImageBitmapLoader::resolvePromiseOnOriginalThread( } DEFINE_TRACE(ImageBitmapFactories::ImageBitmapLoader) { + ContextLifecycleObserver::trace(visitor); visitor->trace(m_factory); visitor->trace(m_resolver); } diff --git a/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h b/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h index 26a7049da9c..8f63517888f 100644 --- a/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h +++ b/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h @@ -35,6 +35,7 @@ #include "bindings/core/v8/ScriptPromise.h" #include "bindings/core/v8/ScriptPromiseResolver.h" #include "bindings/core/v8/ScriptState.h" +#include "core/dom/ContextLifecycleObserver.h" #include "core/fileapi/FileReaderLoader.h" #include "core/fileapi/FileReaderLoaderClient.h" #include "core/imagebitmap/ImageBitmapOptions.h" @@ -102,7 +103,10 @@ class ImageBitmapFactories final private: class ImageBitmapLoader final : public GarbageCollectedFinalized<ImageBitmapLoader>, + public ContextLifecycleObserver, public FileReaderLoaderClient { + USING_GARBAGE_COLLECTED_MIXIN(ImageBitmapLoader); + public: static ImageBitmapLoader* create(ImageBitmapFactories& factory, Optional<IntRect> cropRect, @@ -116,7 +120,7 @@ class ImageBitmapFactories final DECLARE_TRACE(); - ~ImageBitmapLoader() override {} + ~ImageBitmapLoader() override; private: ImageBitmapLoader(ImageBitmapFactories&, @@ -133,6 +137,9 @@ class ImageBitmapFactories final const String& colorSpaceConversionOption); void resolvePromiseOnOriginalThread(sk_sp<SkImage>); + // ContextLifecycleObserver + void contextDestroyed() override; + // FileReaderLoaderClient void didStartLoading() override {} void didReceiveData() override {} |