summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2018-01-29 11:44:30 +0100
committerAllan Sandfeld Jensen <allan.jensen@qt.io>2018-02-01 12:05:31 +0000
commit232288de9e12c0c4fb8b5686a7fe81280ee4852f (patch)
treea1ea766ace1de3728089d10199df4574912e6f95
parent6f4d9abf1fb5a940406ab6bff6a550898ee74646 (diff)
downloadqtwebengine-chromium-232288de9e12c0c4fb8b5686a7fe81280ee4852f.tar.gz
[Backport] Validate frame after conversion in chrome.send
BUG=797511 TEST=Manually, see https://crbug.com/797511#c1 TBR=rob@robwu.nl (cherry picked from commit 90585e657db48f93bd73bc45d4caa975323da41b) Reviewed-on: https://chromium-review.googlesource.com/844076 Commit-Queue: Rob Wu <rob@robwu.nl> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#526197} Reviewed-on: https://chromium-review.googlesource.com/874471 Reviewed-by: Rob Wu <rob@robwu.nl> Cr-Commit-Position: refs/branch-heads/3282@{#541} (CVE-2018-6054) Change-Id: I4ae431b43251c018e21442551acc36e9b9e1caa3 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/content/renderer/web_ui_extension.cc7
1 files changed, 7 insertions, 0 deletions
diff --git a/chromium/content/renderer/web_ui_extension.cc b/chromium/content/renderer/web_ui_extension.cc
index 802bd7a0e61..c14313283f1 100644
--- a/chromium/content/renderer/web_ui_extension.cc
+++ b/chromium/content/renderer/web_ui_extension.cc
@@ -124,6 +124,13 @@ void WebUIExtension::Send(gin::Arguments* args) {
content = base::ListValue::From(V8ValueConverter::Create()->FromV8Value(
obj, frame->MainWorldScriptContext()));
DCHECK(content);
+ // The conversion of |obj| could have triggered arbitrary JavaScript code,
+ // so check that the frame is still valid to avoid dereferencing a stale
+ // pointer.
+ if (frame != blink::WebLocalFrame::FrameForCurrentContext()) {
+ NOTREACHED();
+ return;
+ }
}
// Send the message up to the browser.
View Lorry Controller Status