[Backport] Fix for CVE-2019-5758

Fix UAP in ImageBitmapLoader/FileReaderLoader

FileReaderLoader stores its client as a raw pointer, so in cases like
ImageBitmapLoader where the FileReaderLoaderClient really is garbage
collected we have to make sure to destroy the FileReaderLoader when
the ExecutionContext that owns it is destroyed.

TBR=mek@chromium.org

(cherry picked from commit 419c4bfbfb94849ed30dcab7c3aaf67afe238b27)

Bug: 913970
Change-Id: I40b02115367cf7bf5bbbbb8e9b57874d2510f861
Reviewed-on: https://chromium-review.googlesource.com/c/1374511
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#616342}
Reviewed-on: https://chromium-review.googlesource.com/c/1379106
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#368}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

2 files changed, 27 insertions, 6 deletions

diff --git a/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp b/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp
index 90aea4e63d3..fe60624107c 100644
--- a/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp
+++ b/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.cpp
@@ -204,12 +204,19 @@ void ImageBitmapFactories::didFinishLoading(ImageBitmapLoader* loader) {
   m_pendingLoaders.remove(loader);
 }
 
+DEFINE_TRACE(ImageBitmapFactories) {
+  visitor->trace(m_pendingLoaders);
+  Supplement<LocalDOMWindow>::trace(visitor);
+  Supplement<WorkerGlobalScope>::trace(visitor);
+}
+
 ImageBitmapFactories::ImageBitmapLoader::ImageBitmapLoader(
     ImageBitmapFactories& factory,
     Optional<IntRect> cropRect,
     ScriptState* scriptState,
     const ImageBitmapOptions& options)
-    : m_loader(
+    : ContextLifecycleObserver(scriptState->getExecutionContext()),
+      m_loader(
           FileReaderLoader::create(FileReaderLoader::ReadAsArrayBuffer, this)),
       m_factory(&factory),
       m_resolver(ScriptPromiseResolver::create(scriptState)),
@@ -222,20 +229,26 @@ void ImageBitmapFactories::ImageBitmapLoader::loadBlobAsync(
   m_loader->start(context, blob->blobDataHandle());
 }
 
-DEFINE_TRACE(ImageBitmapFactories) {
-  visitor->trace(m_pendingLoaders);
-  Supplement<LocalDOMWindow>::trace(visitor);
-  Supplement<WorkerGlobalScope>::trace(visitor);
+ImageBitmapFactories::ImageBitmapLoader::~ImageBitmapLoader() {
+  DCHECK(!m_loader);
 }
 
 void ImageBitmapFactories::ImageBitmapLoader::rejectPromise() {
   m_resolver->reject(DOMException::create(
       InvalidStateError, "The source image cannot be decoded."));
+  m_loader.reset();
   m_factory->didFinishLoading(this);
 }
 
+void ImageBitmapFactories::ImageBitmapLoader::contextDestroyed() {
+  if (m_loader)
+    m_factory->didFinishLoading(this);
+  m_loader.reset();
+}
+
 void ImageBitmapFactories::ImageBitmapLoader::didFinishLoading() {
   DOMArrayBuffer* arrayBuffer = m_loader->arrayBufferResult();
+  m_loader.reset();
   if (!arrayBuffer) {
     rejectPromise();
     return;
@@ -318,6 +331,7 @@ void ImageBitmapFactories::ImageBitmapLoader::resolvePromiseOnOriginalThread(
 }
 
 DEFINE_TRACE(ImageBitmapFactories::ImageBitmapLoader) {
+  ContextLifecycleObserver::trace(visitor);
   visitor->trace(m_factory);
   visitor->trace(m_resolver);
 }
diff --git a/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h b/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h
index 26a7049da9c..8f63517888f 100644
--- a/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h
+++ b/chromium/third_party/WebKit/Source/core/imagebitmap/ImageBitmapFactories.h
@@ -35,6 +35,7 @@
 #include "bindings/core/v8/ScriptPromise.h"
 #include "bindings/core/v8/ScriptPromiseResolver.h"
 #include "bindings/core/v8/ScriptState.h"
+#include "core/dom/ContextLifecycleObserver.h"
 #include "core/fileapi/FileReaderLoader.h"
 #include "core/fileapi/FileReaderLoaderClient.h"
 #include "core/imagebitmap/ImageBitmapOptions.h"
@@ -102,7 +103,10 @@ class ImageBitmapFactories final
  private:
   class ImageBitmapLoader final
       : public GarbageCollectedFinalized<ImageBitmapLoader>,
+        public ContextLifecycleObserver,
         public FileReaderLoaderClient {
+    USING_GARBAGE_COLLECTED_MIXIN(ImageBitmapLoader);
+
    public:
     static ImageBitmapLoader* create(ImageBitmapFactories& factory,
                                      Optional<IntRect> cropRect,
@@ -116,7 +120,7 @@ class ImageBitmapFactories final
 
     DECLARE_TRACE();
 
-    ~ImageBitmapLoader() override {}
+    ~ImageBitmapLoader() override;
 
    private:
     ImageBitmapLoader(ImageBitmapFactories&,
@@ -133,6 +137,9 @@ class ImageBitmapFactories final
                                     const String& colorSpaceConversionOption);
     void resolvePromiseOnOriginalThread(sk_sp<SkImage>);
 
+    // ContextLifecycleObserver
+    void contextDestroyed() override;
+
     // FileReaderLoaderClient
     void didStartLoading() override {}
     void didReceiveData() override {}