diff options
author | Thomas Guilbert <tguilbert@chromium.org> | 2020-07-25 16:06:33 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-08-11 14:48:26 +0000 |
commit | 10efe0032f2926cb582d1feca3377be3e3797f02 (patch) | |
tree | 6b7226eb5b035283746d45f2a123fb6341ce9249 | |
parent | c16701ae8926d2f60d5aa52e7f5aefe97dc29adc (diff) | |
download | qtwebengine-chromium-10efe0032f2926cb582d1feca3377be3e3797f02.tar.gz |
[Backport] CVE-2020-6544: Use after free in media
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2314981:
Fix iterator invalidation issue
If a RemotePlayback availabilityCallback invokes watchAvailability(),
it may cause changes to the underlying |availability_callbacks_|. This
can invalidate the iterator we are using to loop over the callbacks.
This CL copies the callbacks to a vector before invoking them, allowing
them to add/remove callbacks without problem.
Bug: 1108497
Change-Id: I78220da0b8e10c1d6c0e4fa5e15ada81f10f8fc3
Auto-Submit: Thomas Guilbert <tguilbert@chromium.org>
Reviewed-by: Mounir Lamouri <mlamouri@chromium.org>
Commit-Queue: Thomas Guilbert <tguilbert@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791472}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc b/chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc index 6f9836a57e1..dfa13c957c4 100644 --- a/chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc +++ b/chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc @@ -492,7 +492,12 @@ void RemotePlayback::AvailabilityChanged( if (new_availability == old_availability) return; - for (auto& callback : availability_callbacks_.Values()) + // Copy the callbacks to a temporary vector to prevent iterator invalidations, + // in case the JS callbacks invoke watchAvailability(). + HeapVector<Member<AvailabilityCallbackWrapper>> callbacks; + CopyValuesToVector(availability_callbacks_, callbacks); + + for (auto& callback : callbacks) callback->Run(this, new_availability); } |