diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 15:16:48 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 18:31:19 +0000 |
commit | c112c079a5d7364bdf0f2686616df7024a8dad82 (patch) | |
tree | 28a38790af6757ad0837fa9b83645c0dcc8e7672 | |
parent | d7a0d0f0d0dc20e1940ee8f7b805247db535ebd0 (diff) | |
download | qtwebengine-chromium-c112c079a5d7364bdf0f2686616df7024a8dad82.tar.gz |
[Backport] CVE-2019-5829
Manual backport with adjustments:
Early return if a download Id is already used when creating a download
This is protect against download Id overflow and use-after-free
issue.
BUG=958533
Change-Id: Ib7501ceaefd87390369e3206f645f0e8622220a1
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/browser/download/download_manager_impl.cc | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/chromium/content/browser/download/download_manager_impl.cc b/chromium/content/browser/download/download_manager_impl.cc index 04d76dfb4ea..44a49ee1fb6 100644 --- a/chromium/content/browser/download/download_manager_impl.cc +++ b/chromium/content/browser/download/download_manager_impl.cc @@ -192,7 +192,10 @@ DownloadItemImpl* DownloadManagerImpl::CreateActiveItem( uint32_t id, const DownloadCreateInfo& info) { DCHECK_CURRENTLY_ON(BrowserThread::UI); - DCHECK(!base::ContainsKey(downloads_, id)); + + if (base::ContainsKey(downloads_, id)) + return nullptr; + net::NetLogWithSource net_log = net::NetLogWithSource::Make(net_log_, net::NetLogSourceType::DOWNLOAD); DownloadItemImpl* download = @@ -354,6 +357,13 @@ void DownloadManagerImpl::StartDownloadWithId( download = item_iterator->second.get(); } + if (!download) { + if (!on_started.is_null()) + on_started.Run(nullptr, DOWNLOAD_INTERRUPT_REASON_USER_CANCELED); + + return; + } + base::FilePath default_download_directory; if (delegate_) { base::FilePath website_save_directory; // Unused |