diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-14 11:51:52 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-14 11:52:37 +0000 |
| commit | 00d9e1e3be09a80f9c03302f86b77a9d849a822f (patch) | |
| tree | debf3a2d7d0e409e37f342e3f3b9138eb25d7acd | |
| parent | 1f07ca687b1a2aafce41e96dbf9e0ad7aa48d525 (diff) | |
| download | qtwebengine-chromium-00d9e1e3be09a80f9c03302f86b77a9d849a822f.tar.gz | |
[Backport] CVE-2019-5872
Close FileSystemOperationListener bindings on PreFinalizer
This is a speculative CL to the UAP observed on crbug.com/c/981492.
It basically early-closes FileSystemDispatcher's mojo bindings manually,
a common for Blink's GC objects that own mojo bindings.
BUG=981492
R=haraken@chromium.org, mek@chromium.org
TBR=tonikitoo@igalia.com
(cherry picked from commit cfd44efa92afda3eb1944ae2f862bd444553a78c)
Change-Id: I0ffff4798532df5dda1ee74e4bbe8a887b5c68ee
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Auto-Submit: Antonio Gomes <tonikitoo@igalia.com>
Cr-Original-Commit-Position: refs/heads/master@{#685700}
Reviewed-by: Antonio Gomes <tonikitoo@igalia.com>
Cr-Commit-Position: refs/branch-heads/3865@{#606}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.cc | 4 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.cc b/chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.cc index 91de230246c..a2841d1f646 100644 --- a/chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.cc +++ b/chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.cc @@ -585,4 +585,8 @@ void FileSystemDispatcher::RemoveOperationPtr(int operation_id) { cancellable_operations_.erase(operation_id); } +void FileSystemDispatcher::Prefinalize() { + op_listeners_.CloseAllBindings(); +} + } // namespace blink diff --git a/chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h b/chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h index 163d0db1d9b..1692798ba6d 100644 --- a/chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h +++ b/chromium/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h @@ -31,6 +31,7 @@ class FileSystemDispatcher : public GarbageCollectedFinalized<FileSystemDispatcher>, public Supplement<ExecutionContext> { USING_GARBAGE_COLLECTED_MIXIN(FileSystemDispatcher); + USING_PRE_FINALIZER(FileSystemDispatcher, Prefinalize); public: using StatusCallback = base::OnceCallback<void(base::File::Error error)>; @@ -192,7 +193,10 @@ class FileSystemDispatcher void RemoveOperationPtr(int operation_id); + void Prefinalize(); + mojom::blink::FileSystemManagerPtr file_system_manager_ptr_; + using OperationsMap = HashMap<int, mojom::blink::FileSystemCancellableOperationPtr>; OperationsMap cancellable_operations_; |