diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-14 13:31:24 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-14 12:33:27 +0000 |
commit | cc18c848e1741271d5d0f01e67b560ee99b902a2 (patch) | |
tree | 586b52ec44355e3b10abda341cff1952c1d38968 | |
parent | 495b2ebcd9d3ea3ee5893dad4d66333862eda493 (diff) | |
download | qtwebengine-chromium-cc18c848e1741271d5d0f01e67b560ee99b902a2.tar.gz |
[Backport] CVE-2019-13693
IndexedDB: Unregister cursors from transactions more consistently.
IndexedDBCursor now calls IndexedDBTransaction::UnregisterOpenCursor()
in Close(), which is called by the destructor.
The previous setup missed an edge case where calling
IndexedDBCursor::Close() directly would not unregister the cursor. This
behavior was relied upon in IndexedDBTransaction::CloseOpenCursors(),
but was not intended at other callsites.
(cherry picked from commit 23303e6f178ca2993bfde7114e6bdf48dd0eff9d)
Bug: 1005753
Change-Id: I91944138d05faa2d91ecc03b1040ec16ca1a7e5f
Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#699937}
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#872}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/browser/indexed_db/indexed_db_cursor.cc | 4 | ||||
-rw-r--r-- | chromium/content/browser/indexed_db/indexed_db_transaction.cc | 8 |
2 files changed, 8 insertions, 4 deletions
diff --git a/chromium/content/browser/indexed_db/indexed_db_cursor.cc b/chromium/content/browser/indexed_db/indexed_db_cursor.cc index 7f1ad8465de..e53c06637bf 100644 --- a/chromium/content/browser/indexed_db/indexed_db_cursor.cc +++ b/chromium/content/browser/indexed_db/indexed_db_cursor.cc @@ -75,8 +75,6 @@ IndexedDBCursor::IndexedDBCursor( } IndexedDBCursor::~IndexedDBCursor() { - if (transaction_) - transaction_->UnregisterOpenCursor(this); // Call to make sure we complete our lifetime trace. Close(); } @@ -352,6 +350,8 @@ void IndexedDBCursor::Close() { closed_ = true; cursor_.reset(); saved_cursor_.reset(); + if (transaction_) + transaction_->UnregisterOpenCursor(this); transaction_ = nullptr; } diff --git a/chromium/content/browser/indexed_db/indexed_db_transaction.cc b/chromium/content/browser/indexed_db/indexed_db_transaction.cc index d418674eb1d..56853e575b6 100644 --- a/chromium/content/browser/indexed_db/indexed_db_transaction.cc +++ b/chromium/content/browser/indexed_db/indexed_db_transaction.cc @@ -566,9 +566,13 @@ void IndexedDBTransaction::Timeout() { void IndexedDBTransaction::CloseOpenCursors() { IDB_TRACE1("IndexedDBTransaction::CloseOpenCursors", "txn.id", id()); - for (auto* cursor : open_cursors_) - cursor->Close(); + + // IndexedDBCursor::Close() indirectly mutates |open_cursors_|, when it calls + // IndexedDBTransaction::UnregisterOpenCursor(). + std::set<IndexedDBCursor*> open_cursors = std::move(open_cursors_); open_cursors_.clear(); + for (auto* cursor : open_cursors) + cursor->Close(); } void IndexedDBTransaction::AddPendingObserver( |