diff options
author | Victor Costan <pwnall@chromium.org> | 2019-10-21 22:29:45 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-10 15:49:11 +0000 |
commit | 6f1a37c63baf7cdbb919221258ad6fe294de9d82 (patch) | |
tree | 51991a2590f871a098facdc5ff82ae9dbb032945 | |
parent | 334bb80e4cebb56ec96f048cbef5f7b4f45e0763 (diff) | |
download | qtwebengine-chromium-6f1a37c63baf7cdbb919221258ad6fe294de9d82.tar.gz |
[Backport] Security bug 1016038
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/1869384:
IndexedDB: Mark transactions inactive during structured cloning.
Bug: 1016038
Change-Id: Icf24fb597c0dbfd83220fac20a557d05b0c9b96b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
3 files changed, 29 insertions, 7 deletions
diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc index 72fbca73b91..38f60f03fcb 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_object_store.cc @@ -411,6 +411,7 @@ IDBRequest* IDBObjectStore::DoPut(ScriptState* script_state, v8::Isolate* isolate = script_state->GetIsolate(); DCHECK(isolate->InContext()); + transaction_->SetActiveDuringSerialization(false); // TODO(crbug.com/719053): This wasm behavior differs from other browsers. SerializedScriptValue::SerializeOptions::WasmSerializationPolicy wasm_policy = ExecutionContext::From(script_state)->IsSecureContext() @@ -418,6 +419,7 @@ IDBRequest* IDBObjectStore::DoPut(ScriptState* script_state, : SerializedScriptValue::SerializeOptions::kBlockedInNonSecureContext; IDBValueWrapper value_wrapper(isolate, value.V8Value(), wasm_policy, exception_state); + transaction_->SetActiveDuringSerialization(true); if (exception_state.HadException()) return nullptr; diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc index 8d6a4a1d743..31069d060a0 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.cc @@ -316,18 +316,31 @@ void IDBTransaction::IndexDeleted(IDBIndex* index) { deleted_indexes_.push_back(index); } -void IDBTransaction::SetActive(bool active) { - DCHECK_NE(state_, kFinished) << "A finished transaction tried to SetActive(" - << (active ? "true" : "false") << ")"; +void IDBTransaction::SetActive(bool new_is_active) { + DCHECK_NE(state_, kFinished) + << "A finished transaction tried to SetActive(" << new_is_active << ")"; if (state_ == kFinishing) return; - DCHECK_NE(active, (state_ == kActive)); - state_ = active ? kActive : kInactive; + DCHECK_NE(new_is_active, (state_ == kActive)); + state_ = new_is_active ? kActive : kInactive; - if (!active && request_list_.IsEmpty() && transaction_backend()) + if (!new_is_active && request_list_.IsEmpty() && transaction_backend()) transaction_backend()->Commit(num_errors_handled_); } +void IDBTransaction::SetActiveDuringSerialization(bool new_is_active) { + if (new_is_active) { + DCHECK_EQ(state_, kInactive) + << "Incorrect state restore during Structured Serialization"; + state_ = kActive; + } else { + DCHECK_EQ(state_, kActive) + << "Structured serialization attempted while transaction is inactive"; + state_ = kInactive; + } +} + + void IDBTransaction::abort(ExceptionState& exception_state) { if (state_ == kFinishing || state_ == kFinished) { exception_state.ThrowDOMException( diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h index 913cb291937..fdd50526429 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_transaction.h @@ -152,7 +152,14 @@ class MODULES_EXPORT IDBTransaction final // Called when deleting an index whose IDBIndex had been created. void IndexDeleted(IDBIndex*); - void SetActive(bool); + // Called during event dispatch. + // + // This can trigger transaction auto-commit. + void SetActive(bool new_is_active); + + // Called right before and after structured serialization. + void SetActiveDuringSerialization(bool new_is_active); + void SetError(DOMException*); DEFINE_ATTRIBUTE_EVENT_LISTENER(abort, kAbort) |