[Backport] CVE-2020-6407: Out of bounds memory access in streams

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2032471 https://chromium-review.googlesource.com/c/chromium/src/+/2060221: Streams: Convert state DCHECKs to CHECKs Merge to release branch 3987. Original description: For "cheap" checks of state in the streams implementation, use CHECKs instead of DCHECKs. This will improve robustness against logic errors. BUG=1045931 TBR=yhirano@chromium.org (cherry picked from commit 122b074f0354079f3d9044cc14890dcfd2d72918) Change-Id: Ide564096a4aeb05e0e09a8fad9056b617dbcaf31 Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Adam Rice <ricea@chromium.org> 2020-02-18 06:43:52 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-05 09:50:12 +0000
commit: 642c7bea74e22a9578944ff419fa9fa682adbab7 (patch)
tree: ab7b0798b9dab3a13248a72ce8210aab27730530
parent: 5707cc4f757445b3776a1405f3cc364e5d6cafee (diff)
download: qtwebengine-chromium-642c7bea74e22a9578944ff419fa9fa682adbab7.tar.gz
6 files changed, 27 insertions, 27 deletions
diff --git a/chromium/third_party/blink/renderer/core/streams/readable_stream_default_controller.cc b/chromium/third_party/blink/renderer/core/streams/readable_stream_default_controller.cc
index 653cab070a3..d9e69a72280 100644
--- a/chromium/third_party/blink/renderer/core/streams/readable_stream_default_controller.cc
+++ b/chromium/third_party/blink/renderer/core/streams/readable_stream_default_controller.cc
@@ -110,7 +110,7 @@ void ReadableStreamDefaultController::Close(
 
   // 2. Assert: ! ReadableStreamDefaultControllerCanCloseOrEnqueue(controller)
   //    is true.
-  DCHECK(CanCloseOrEnqueue(controller));
+  CHECK(CanCloseOrEnqueue(controller));
 
   // 3. Set controller.[[closeRequested]] to true.
   controller->is_close_requested_ = true;
@@ -136,7 +136,7 @@ void ReadableStreamDefaultController::Enqueue(
 
   // 2. Assert: ! ReadableStreamDefaultControllerCanCloseOrEnqueue(controller)
   //    is true.
-  DCHECK(CanCloseOrEnqueue(controller));
+  CHECK(CanCloseOrEnqueue(controller));
 
   // 3. If ! IsReadableStreamLocked(stream) is true and !
   //    ReadableStreamGetNumReadRequests(stream) > 0, perform !
@@ -261,7 +261,7 @@ const char* ReadableStreamDefaultController::EnqueueExceptionMessage(
   if (state == ReadableStreamNative::kErrored) {
     return "Cannot enqueue a chunk into an errored readable stream";
   }
-  DCHECK(state == ReadableStreamNative::kClosed);
+  CHECK(state == ReadableStreamNative::kClosed);
   return "Cannot enqueue a chunk into a closed readable stream";
 }
 
diff --git a/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc b/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc
index 240f1003a37..49eaeb8a976 100644
--- a/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc
+++ b/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc
@@ -1333,7 +1333,7 @@ void ReadableStreamNative::Initialize(ReadableStreamNative* stream) {
   // initialised correctly.
   // https://streams.spec.whatwg.org/#initialize-readable-stream
   // 1. Set stream.[[state]] to "readable".
-  DCHECK_EQ(stream->state_, kReadable);
+  CHECK_EQ(stream->state_, kReadable);
   // 2. Set stream.[[reader]] and stream.[[storedError]] to undefined.
   DCHECK(!stream->reader_);
   DCHECK(stream->stored_error_.IsEmpty());
@@ -1452,7 +1452,7 @@ StreamPromiseResolver* ReadableStreamNative::AddReadRequest(
   DCHECK(stream->reader_);
 
   // 2. Assert: stream.[[state]] is "readable".
-  DCHECK_EQ(stream->state_, kReadable);
+  CHECK_EQ(stream->state_, kReadable);
 
   // 3. Let promise be a new promise.
   auto* promise = MakeGarbageCollected<StreamPromiseResolver>(script_state);
@@ -1519,7 +1519,7 @@ void ReadableStreamNative::Close(ScriptState* script_state,
                                  ReadableStreamNative* stream) {
   // https://streams.spec.whatwg.org/#readable-stream-close
   // 1. Assert: stream.[[state]] is "readable".
-  DCHECK_EQ(stream->state_, kReadable);
+  CHECK_EQ(stream->state_, kReadable);
 
   // 2. Set stream.[[state]] to "closed".
   stream->state_ = kClosed;
@@ -1606,7 +1606,7 @@ void ReadableStreamNative::Error(ScriptState* script_state,
                                  v8::Local<v8::Value> e) {
   // https://streams.spec.whatwg.org/#readable-stream-error
   // 2. Assert: stream.[[state]] is "readable".
-  DCHECK_EQ(stream->state_, kReadable);
+  CHECK_EQ(stream->state_, kReadable);
   auto* isolate = script_state->GetIsolate();
 
   // 3. Set stream.[[state]] to "errored".
diff --git a/chromium/third_party/blink/renderer/core/streams/transform_stream_native.cc b/chromium/third_party/blink/renderer/core/streams/transform_stream_native.cc
index 825cece3098..bb1879be172 100644
--- a/chromium/third_party/blink/renderer/core/streams/transform_stream_native.cc
+++ b/chromium/third_party/blink/renderer/core/streams/transform_stream_native.cc
@@ -488,7 +488,7 @@ class TransformStreamNative::DefaultSinkWriteAlgorithm final
           }
 
           // 4. Assert: state is "writable".
-          DCHECK(writable->IsWritable());
+          CHECK(writable->IsWritable());
 
           // 5. Return ! TransformStreamDefaultControllerPerformTransform(
           //    controller, chunk).
diff --git a/chromium/third_party/blink/renderer/core/streams/writable_stream_default_controller.cc b/chromium/third_party/blink/renderer/core/streams/writable_stream_default_controller.cc
index 08652a65c0a..afded82d46d 100644
--- a/chromium/third_party/blink/renderer/core/streams/writable_stream_default_controller.cc
+++ b/chromium/third_party/blink/renderer/core/streams/writable_stream_default_controller.cc
@@ -146,8 +146,8 @@ void WritableStreamDefaultController::SetUp(
       // 16. Upon fulfillment of startPromise
       //      a. Assert: stream.[[state]] is "writable" or "erroring".
       const auto state = stream_->GetState();
-      DCHECK(state == WritableStreamNative::kWritable ||
-             state == WritableStreamNative::kErroring);
+      CHECK(state == WritableStreamNative::kWritable ||
+            state == WritableStreamNative::kErroring);
 
       //      b. Set controller.[[started]] to true.
       WritableStreamDefaultController* controller = stream_->Controller();
@@ -178,8 +178,8 @@ void WritableStreamDefaultController::SetUp(
       // 17. Upon rejection of startPromise with reason r,
       //      a. Assert: stream.[[state]] is "writable" or "erroring".
       const auto state = stream_->GetState();
-      DCHECK(state == WritableStreamNative::kWritable ||
-             state == WritableStreamNative::kErroring);
+      CHECK(state == WritableStreamNative::kWritable ||
+            state == WritableStreamNative::kErroring);
 
       //      b. Set controller.[[started]] to true.
       WritableStreamDefaultController* controller = stream_->Controller();
@@ -578,8 +578,8 @@ void WritableStreamDefaultController::ProcessWrite(
       const auto state = stream_->GetState();
 
       //      c. Assert: state is "writable" or "erroring".
-      DCHECK(state == WritableStreamNative::kWritable ||
-             state == WritableStreamNative::kErroring);
+      CHECK(state == WritableStreamNative::kWritable ||
+            state == WritableStreamNative::kErroring);
 
       //      d. Perform ! DequeueValue(controller).
       controller_->queue_->DequeueValue(script_state->GetIsolate());
diff --git a/chromium/third_party/blink/renderer/core/streams/writable_stream_default_writer.cc b/chromium/third_party/blink/renderer/core/streams/writable_stream_default_writer.cc
index de107de2f5c..146ac34d274 100644
--- a/chromium/third_party/blink/renderer/core/streams/writable_stream_default_writer.cc
+++ b/chromium/third_party/blink/renderer/core/streams/writable_stream_default_writer.cc
@@ -346,8 +346,8 @@ v8::Local<v8::Promise> WritableStreamDefaultWriter::CloseWithErrorPropagation(
   }
 
   //  6. Assert: state is "writable" or "erroring".
-  DCHECK(state == WritableStreamNative::kWritable ||
-         state == WritableStreamNative::kErroring);
+  CHECK(state == WritableStreamNative::kWritable ||
+        state == WritableStreamNative::kErroring);
 
   //  7. Return ! WritableStreamDefaultWriterClose(writer).
   return Close(script_state, writer);
diff --git a/chromium/third_party/blink/renderer/core/streams/writable_stream_native.cc b/chromium/third_party/blink/renderer/core/streams/writable_stream_native.cc
index 4c8477811ac..71c5e6fa5b4 100644
--- a/chromium/third_party/blink/renderer/core/streams/writable_stream_native.cc
+++ b/chromium/third_party/blink/renderer/core/streams/writable_stream_native.cc
@@ -316,7 +316,7 @@ v8::Local<v8::Promise> WritableStreamNative::Abort(
   }
 
   //  4. Assert: state is "writable" or "erroring".
-  DCHECK(state == kWritable || state == kErroring);
+  CHECK(state == kWritable || state == kErroring);
 
   //  5. Let wasAlreadyErroring be false.
   //  6. If state is "erroring",
@@ -355,7 +355,7 @@ v8::Local<v8::Promise> WritableStreamNative::AddWriteRequest(
   DCHECK(IsLocked(stream));
 
   //  2. Assert: stream.[[state]] is "writable".
-  DCHECK_EQ(stream->state_, kWritable);
+  CHECK_EQ(stream->state_, kWritable);
 
   //  3. Let promise be a new promise.
   auto* promise = MakeGarbageCollected<StreamPromiseResolver>(script_state);
@@ -393,7 +393,7 @@ void WritableStreamNative::DealWithRejection(ScriptState* script_state,
   }
 
   //  3. Assert: state is "erroring".
-  DCHECK_EQ(state, kErroring);
+  CHECK_EQ(state, kErroring);
 
   //  4. Perform ! WritableStreamFinishErroring(stream).
   FinishErroring(script_state, stream);
@@ -407,7 +407,7 @@ void WritableStreamNative::StartErroring(ScriptState* script_state,
   DCHECK(stream->stored_error_.IsEmpty());
 
   //  2. Assert: stream.[[state]] is "writable".
-  DCHECK_EQ(stream->state_, kWritable);
+  CHECK_EQ(stream->state_, kWritable);
 
   //  3. Let controller be stream.[[writableStreamController]].
   WritableStreamDefaultController* controller =
@@ -444,7 +444,7 @@ void WritableStreamNative::FinishErroring(ScriptState* script_state,
                                           WritableStreamNative* stream) {
   // https://streams.spec.whatwg.org/#writable-stream-finish-erroring
   //  1. Assert: stream.[[state]] is "erroring".
-  DCHECK_EQ(stream->state_, kErroring);
+  CHECK_EQ(stream->state_, kErroring);
 
   //  2. Assert: ! WritableStreamHasOperationMarkedInFlight(stream) is false.
   DCHECK(!HasOperationMarkedInFlight(stream));
@@ -593,7 +593,7 @@ void WritableStreamNative::FinishInFlightWriteWithError(
 
   //  4. Assert: stream.[[state]] is "writable" or "erroring".
   const auto state = stream->state_;
-  DCHECK(state == kWritable || state == kErroring);
+  CHECK(state == kWritable || state == kErroring);
 
   //  5. Perform ! WritableStreamDealWithRejection(stream, error).
   DealWithRejection(script_state, stream, error);
@@ -615,7 +615,7 @@ void WritableStreamNative::FinishInFlightClose(ScriptState* script_state,
   const auto state = stream->state_;
 
   //  5. Assert: stream.[[state]] is "writable" or "erroring".
-  DCHECK(state == kWritable || state == kErroring);
+  CHECK(state == kWritable || state == kErroring);
 
   //  6. If state is "erroring",
   if (state == kErroring) {
@@ -669,7 +669,7 @@ void WritableStreamNative::FinishInFlightCloseWithError(
 
   //  4. Assert: stream.[[state]] is "writable" or "erroring".
   const auto state = stream->state_;
-  DCHECK(state == kWritable || state == kErroring);
+  CHECK(state == kWritable || state == kErroring);
 
   //  5. If stream.[[pendingAbortRequest]] is not undefined,
   if (stream->pending_abort_request_) {
@@ -725,10 +725,10 @@ void WritableStreamNative::UpdateBackpressure(ScriptState* script_state,
                                               bool backpressure) {
   // https://streams.spec.whatwg.org/#writable-stream-update-backpressure
   //  1. Assert: stream.[[state]] is "writable".
-  DCHECK_EQ(stream->state_, kWritable);
+  CHECK_EQ(stream->state_, kWritable);
 
   //  2. Assert: ! WritableStreamCloseQueuedOrInFlight(stream) is false.
-  DCHECK(!CloseQueuedOrInFlight(stream));
+  CHECK(!CloseQueuedOrInFlight(stream));
 
   //  3. Let writer be stream.[[writer]].
   WritableStreamDefaultWriter* writer = stream->writer_;
@@ -800,7 +800,7 @@ void WritableStreamNative::RejectCloseAndClosedPromiseIfNeeded(
     WritableStreamNative* stream) {
   // https://streams.spec.whatwg.org/#writable-stream-reject-close-and-closed-promise-if-needed
   // //  1. Assert: stream.[[state]] is "errored".
-  DCHECK_EQ(stream->state_, kErrored);
+  CHECK_EQ(stream->state_, kErrored);
 
   auto* isolate = script_state->GetIsolate();
author	Adam Rice <ricea@chromium.org>	2020-02-18 06:43:52 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-05 09:50:12 +0000
commit	642c7bea74e22a9578944ff419fa9fa682adbab7 (patch)
tree	ab7b0798b9dab3a13248a72ce8210aab27730530
parent	5707cc4f757445b3776a1405f3cc364e5d6cafee (diff)
download	qtwebengine-chromium-642c7bea74e22a9578944ff419fa9fa682adbab7.tar.gz