diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-29 11:44:30 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-02-01 12:05:31 +0000 |
commit | 232288de9e12c0c4fb8b5686a7fe81280ee4852f (patch) | |
tree | a1ea766ace1de3728089d10199df4574912e6f95 | |
parent | 6f4d9abf1fb5a940406ab6bff6a550898ee74646 (diff) | |
download | qtwebengine-chromium-232288de9e12c0c4fb8b5686a7fe81280ee4852f.tar.gz |
[Backport] Validate frame after conversion in chrome.send
BUG=797511
TEST=Manually, see https://crbug.com/797511#c1
TBR=rob@robwu.nl
(cherry picked from commit 90585e657db48f93bd73bc45d4caa975323da41b)
Reviewed-on: https://chromium-review.googlesource.com/844076
Commit-Queue: Rob Wu <rob@robwu.nl>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#526197}
Reviewed-on: https://chromium-review.googlesource.com/874471
Reviewed-by: Rob Wu <rob@robwu.nl>
Cr-Commit-Position: refs/branch-heads/3282@{#541}
(CVE-2018-6054)
Change-Id: I4ae431b43251c018e21442551acc36e9b9e1caa3
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/renderer/web_ui_extension.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chromium/content/renderer/web_ui_extension.cc b/chromium/content/renderer/web_ui_extension.cc index 802bd7a0e61..c14313283f1 100644 --- a/chromium/content/renderer/web_ui_extension.cc +++ b/chromium/content/renderer/web_ui_extension.cc @@ -124,6 +124,13 @@ void WebUIExtension::Send(gin::Arguments* args) { content = base::ListValue::From(V8ValueConverter::Create()->FromV8Value( obj, frame->MainWorldScriptContext())); DCHECK(content); + // The conversion of |obj| could have triggered arbitrary JavaScript code, + // so check that the frame is still valid to avoid dereferencing a stale + // pointer. + if (frame != blink::WebLocalFrame::FrameForCurrentContext()) { + NOTREACHED(); + return; + } } // Send the message up to the browser. |