diff options
author | Jeremy Roman <jbroman@chromium.org> | 2020-01-28 19:57:55 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-02 12:25:49 +0000 |
commit | 5751c8f721439d6abefdeddbbcb7fbcc4b415334 (patch) | |
tree | 8673871bc5ed373008bf32d2a948091bcb7706e8 | |
parent | 5887eeff3a3f11be694eb3e94b6f3c211d1cb82f (diff) | |
download | qtwebengine-chromium-5751c8f721439d6abefdeddbbcb7fbcc4b415334.tar.gz |
[Backport] CVE-2020-6390 - Out of bounds memory access in streams
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2025573:
Move ReadableStream requests onto the stack before iteration.
This might be subject to concurrent modification by script.
(cherry picked from commit 12310ed05f15fea5fa6824c6a6b5d86f81532e25)
Bug: 1045874
Contributed-by: Sergei Glazunov <glazunov@google.com>
Change-Id: I24263327e67e7799df6de3b7592ac641ddf6cfcf
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc b/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc index 632ea367d68..240f1003a37 100644 --- a/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc +++ b/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc @@ -708,7 +708,9 @@ class ReadableStreamNative::TeeEngine::PullAlgorithm final // b. Perform ! ReadableStreamDefaultControllerClose(branch2. // [[readableStreamController]]). for (int branch = 0; branch < 2; ++branch) { - if (!engine_->canceled_[branch]) { + if (!engine_->canceled_[branch] && + ReadableStreamDefaultController::CanCloseOrEnqueue( ++ engine_->controller_[branch])) { ReadableStreamDefaultController::Close( script_state, engine_->controller_[branch]); } @@ -734,7 +736,9 @@ class ReadableStreamNative::TeeEngine::PullAlgorithm final // ReadableStreamDefaultControllerEnqueue(branch2. // [[readableStreamController]], value2). for (int branch = 0; branch < 2; ++branch) { - if (!engine_->canceled_[branch]) { + if (!engine_->canceled_[branch] && + ReadableStreamDefaultController::CanCloseOrEnqueue( + engine_->controller_[branch])) { ReadableStreamDefaultController::Enqueue(script_state, engine_->controller_[branch], value, exception_state); @@ -1532,7 +1536,9 @@ void ReadableStreamNative::Close(ScriptState* script_state, // 5. If ! IsReadableStreamDefaultReader(reader) is true, // a. Repeat for each readRequest that is an element of reader. // [[readRequests]], - for (StreamPromiseResolver* promise : reader->read_requests_) { + HeapDeque<Member<StreamPromiseResolver>> requests; + requests.Swap(reader->read_requests_); + for (StreamPromiseResolver* promise : requests) { // i. Resolve readRequest.[[promise]] with ! // ReadableStreamCreateReadResult(undefined, true, reader. // [[forAuthorCode]]). @@ -1543,7 +1549,7 @@ void ReadableStreamNative::Close(ScriptState* script_state, } // b. Set reader.[[readRequests]] to an empty List. - reader->read_requests_.clear(); + // This is not required since we've already called Swap(). // 6. Resolve reader.[[closedPromise]] with undefined. reader->closed_promise_->ResolveWithUndefined(script_state); |