[Backport] CVE-2020-6534: Heap buffer overflow in WebRTC

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2160909: Check for executionContext returning null This will happen if invoking functions on an object after its context has been destroyed. Added test. Bug: chromium:1072412 Change-Id: Icc2e8a5ad47398acffb2d56a299a51b11386c9f2 Commit-Queue: Harald Alvestrand <hta@chromium.org> Reviewed-by: Guido Urdaneta <guidou@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#763355} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Michael Brüning <michael.bruning@qt.io> 2020-07-21 17:31:43 +0200
committer: Michael Brüning <michael.bruning@qt.io> 2020-07-24 16:00:34 +0000
commit: 0b8e0d451a3b8619b4a4bcd8a1c94727207ef86a (patch)
tree: 74a49d294e471e207af4fdcc2b89497a0ee59b33
parent: 9b27a193c632557ddd0d7709219f9709f3281312 (diff)
download: qtwebengine-chromium-0b8e0d451a3b8619b4a4bcd8a1c94727207ef86a.tar.gz
1 files changed, 31 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc b/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc
index e352df0ad46..02fe5150743 100644
--- a/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc
+++ b/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc
@@ -1265,6 +1265,7 @@ void RTCPeerConnection::ReportSetSdpUsage(
 
 ScriptPromise RTCPeerConnection::setLocalDescription(
     ScriptState* script_state) {
+  DCHECK(script_state->ContextIsValid());
   auto* resolver = MakeGarbageCollected<ScriptPromiseResolver>(script_state);
   ScriptPromise promise = resolver->Promise();
   auto* request = MakeGarbageCollected<RTCVoidRequestPromiseImpl>(
@@ -1278,6 +1279,13 @@ ScriptPromise RTCPeerConnection::setLocalDescription(
     ScriptState* script_state,
     const RTCSessionDescriptionInit* session_description_init,
     ExceptionState& exception_state) {
+  if (closed_) {
+    exception_state.ThrowDOMException(DOMExceptionCode::kInvalidStateError,
+                                      kSignalingStateClosedMessage);
+    return ScriptPromise();
+  }
+
+  DCHECK(script_state->ContextIsValid());
   if (session_description_init->type().IsNull() &&
       session_description_init->sdp().IsNull()) {
     return setLocalDescription(script_state);
@@ -1316,6 +1324,12 @@ ScriptPromise RTCPeerConnection::setLocalDescription(
     const RTCSessionDescriptionInit* session_description_init,
     V8VoidFunction* success_callback,
     V8RTCPeerConnectionErrorCallback* error_callback) {
+  if (CallErrorCallbackIfSignalingStateClosed(signaling_state_,
+                                              error_callback)) {
+    return ScriptPromise::CastUndefined(script_state);
+  }
+
+  DCHECK(script_state->ContextIsValid());
   if (session_description_init->type() != "rollback") {
     MaybeWarnAboutUnsafeSdp(session_description_init);
     ReportSetSdpUsage(SetSdpOperationType::kSetLocalDescription,
@@ -1390,6 +1404,13 @@ ScriptPromise RTCPeerConnection::setRemoteDescription(
     ScriptState* script_state,
     const RTCSessionDescriptionInit* session_description_init,
     ExceptionState& exception_state) {
+  if (closed_) {
+    exception_state.ThrowDOMException(DOMExceptionCode::kInvalidStateError,
+                                      kSignalingStateClosedMessage);
+    return ScriptPromise();
+  }
+
+  DCHECK(script_state->ContextIsValid());
   if (session_description_init->type() != "rollback") {
     MaybeWarnAboutUnsafeSdp(session_description_init);
     ReportSetSdpUsage(SetSdpOperationType::kSetRemoteDescription,
@@ -1422,12 +1443,19 @@ ScriptPromise RTCPeerConnection::setRemoteDescription(
     const RTCSessionDescriptionInit* session_description_init,
     V8VoidFunction* success_callback,
     V8RTCPeerConnectionErrorCallback* error_callback) {
+  if (CallErrorCallbackIfSignalingStateClosed(signaling_state_,
+                                              error_callback)) {
+    return ScriptPromise::CastUndefined(script_state);
+  }
+
+  DCHECK(script_state->ContextIsValid());
   if (session_description_init->type() != "rollback") {
     MaybeWarnAboutUnsafeSdp(session_description_init);
     ReportSetSdpUsage(SetSdpOperationType::kSetRemoteDescription,
                       session_description_init);
   }
   ExecutionContext* context = ExecutionContext::From(script_state);
+  CHECK(context);
   if (success_callback && error_callback) {
     UseCounter::Count(
         context,
@@ -3095,6 +3123,9 @@ ExecutionContext* RTCPeerConnection::GetExecutionContext() const {
 }
 
 void RTCPeerConnection::ContextDestroyed(ExecutionContext*) {
+  if (!closed_) {
+    CloseInternal();
+  }
   ReleasePeerConnectionHandler();
 }
author	Michael Brüning <michael.bruning@qt.io>	2020-07-21 17:31:43 +0200
committer	Michael Brüning <michael.bruning@qt.io>	2020-07-24 16:00:34 +0000
commit	0b8e0d451a3b8619b4a4bcd8a1c94727207ef86a (patch)
tree	74a49d294e471e207af4fdcc2b89497a0ee59b33
parent	9b27a193c632557ddd0d7709219f9709f3281312 (diff)
download	qtwebengine-chromium-0b8e0d451a3b8619b4a4bcd8a1c94727207ef86a.tar.gz