diff options
author | Adrienne Walker <enne@chromium.org> | 2020-07-22 15:39:33 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-08-11 14:49:05 +0000 |
commit | 0eed9609606159c3cd5b9d1c47dab23b1a4abc75 (patch) | |
tree | 663a247c7f2cec07f679d3a9580e52928fd7ce8c | |
parent | d2f5e4d3a25b3668362015ddba4f3b5932ed200f (diff) | |
download | qtwebengine-chromium-0eed9609606159c3cd5b9d1c47dab23b1a4abc75.tar.gz |
[Backport] CVE-2020-6550: Use after free in IndexedDB
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2311620:
indexeddb: fix crash in WebIDBGetDBNamesCallbacksImpl
Resolve() can end up freeing WebIDBGetDBNamesCallbacksImpl by throwing a
mojo error that deletes the self-owned associated receiver that owns it.
So, don't call any other functions after it.
As the promise resolver can only resolve/reject once, it is safe to
not clear it.
Bug: 1106682
Change-Id: Iea943f3c5c1e57adb6ad399baff49522f54d264b
Commit-Queue: Daniel Murphy <dmurph@chromium.org>
Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Auto-Submit: enne <enne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790857}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc b/chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc index c7b06b4c851..645e5cbf682 100644 --- a/chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc +++ b/chromium/third_party/blink/renderer/modules/indexeddb/idb_factory.cc @@ -105,7 +105,6 @@ class WebIDBGetDBNamesCallbacksImpl : public WebIDBCallbacks { promise_resolver_->Reject(MakeGarbageCollected<DOMException>( DOMExceptionCode::kUnknownError, "The databases() promise was rejected.")); - promise_resolver_.Clear(); } void SuccessNamesAndVersionsList( @@ -129,7 +128,7 @@ class WebIDBGetDBNamesCallbacksImpl : public WebIDBCallbacks { ExecutionContext::From(promise_resolver_->GetScriptState()), &async_task_id_, "success"); promise_resolver_->Resolve(name_and_version_list); - promise_resolver_.Clear(); + // Note: Resolve may cause |this| to be deleted. } void SuccessStringList(const Vector<String>&) override { NOTREACHED(); } |