diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-21 17:31:43 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-24 16:00:34 +0000 |
commit | 0b8e0d451a3b8619b4a4bcd8a1c94727207ef86a (patch) | |
tree | 74a49d294e471e207af4fdcc2b89497a0ee59b33 | |
parent | 9b27a193c632557ddd0d7709219f9709f3281312 (diff) | |
download | qtwebengine-chromium-0b8e0d451a3b8619b4a4bcd8a1c94727207ef86a.tar.gz |
[Backport] CVE-2020-6534: Heap buffer overflow in WebRTC
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2160909:
Check for executionContext returning null
This will happen if invoking functions on an object after its
context has been destroyed.
Added test.
Bug: chromium:1072412
Change-Id: Icc2e8a5ad47398acffb2d56a299a51b11386c9f2
Commit-Queue: Harald Alvestrand <hta@chromium.org>
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#763355}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc b/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc index e352df0ad46..02fe5150743 100644 --- a/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc +++ b/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc @@ -1265,6 +1265,7 @@ void RTCPeerConnection::ReportSetSdpUsage( ScriptPromise RTCPeerConnection::setLocalDescription( ScriptState* script_state) { + DCHECK(script_state->ContextIsValid()); auto* resolver = MakeGarbageCollected<ScriptPromiseResolver>(script_state); ScriptPromise promise = resolver->Promise(); auto* request = MakeGarbageCollected<RTCVoidRequestPromiseImpl>( @@ -1278,6 +1279,13 @@ ScriptPromise RTCPeerConnection::setLocalDescription( ScriptState* script_state, const RTCSessionDescriptionInit* session_description_init, ExceptionState& exception_state) { + if (closed_) { + exception_state.ThrowDOMException(DOMExceptionCode::kInvalidStateError, + kSignalingStateClosedMessage); + return ScriptPromise(); + } + + DCHECK(script_state->ContextIsValid()); if (session_description_init->type().IsNull() && session_description_init->sdp().IsNull()) { return setLocalDescription(script_state); @@ -1316,6 +1324,12 @@ ScriptPromise RTCPeerConnection::setLocalDescription( const RTCSessionDescriptionInit* session_description_init, V8VoidFunction* success_callback, V8RTCPeerConnectionErrorCallback* error_callback) { + if (CallErrorCallbackIfSignalingStateClosed(signaling_state_, + error_callback)) { + return ScriptPromise::CastUndefined(script_state); + } + + DCHECK(script_state->ContextIsValid()); if (session_description_init->type() != "rollback") { MaybeWarnAboutUnsafeSdp(session_description_init); ReportSetSdpUsage(SetSdpOperationType::kSetLocalDescription, @@ -1390,6 +1404,13 @@ ScriptPromise RTCPeerConnection::setRemoteDescription( ScriptState* script_state, const RTCSessionDescriptionInit* session_description_init, ExceptionState& exception_state) { + if (closed_) { + exception_state.ThrowDOMException(DOMExceptionCode::kInvalidStateError, + kSignalingStateClosedMessage); + return ScriptPromise(); + } + + DCHECK(script_state->ContextIsValid()); if (session_description_init->type() != "rollback") { MaybeWarnAboutUnsafeSdp(session_description_init); ReportSetSdpUsage(SetSdpOperationType::kSetRemoteDescription, @@ -1422,12 +1443,19 @@ ScriptPromise RTCPeerConnection::setRemoteDescription( const RTCSessionDescriptionInit* session_description_init, V8VoidFunction* success_callback, V8RTCPeerConnectionErrorCallback* error_callback) { + if (CallErrorCallbackIfSignalingStateClosed(signaling_state_, + error_callback)) { + return ScriptPromise::CastUndefined(script_state); + } + + DCHECK(script_state->ContextIsValid()); if (session_description_init->type() != "rollback") { MaybeWarnAboutUnsafeSdp(session_description_init); ReportSetSdpUsage(SetSdpOperationType::kSetRemoteDescription, session_description_init); } ExecutionContext* context = ExecutionContext::From(script_state); + CHECK(context); if (success_callback && error_callback) { UseCounter::Count( context, @@ -3095,6 +3123,9 @@ ExecutionContext* RTCPeerConnection::GetExecutionContext() const { } void RTCPeerConnection::ContextDestroyed(ExecutionContext*) { + if (!closed_) { + CloseInternal(); + } ReleasePeerConnectionHandler(); } |