diff options
author | clamy <clamy@chromium.org> | 2020-06-23 13:23:23 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-22 15:23:28 +0000 |
commit | 288befc5a1e59a30bac5aa26b82e8b8a569c1b33 (patch) | |
tree | 15fc3e9ea29c3059bb05fb7a6d69fda1764f7d4c | |
parent | e61ea405c3ce8486fb00de64eadfef8e73f85a8f (diff) | |
download | qtwebengine-chromium-288befc5a1e59a30bac5aa26b82e8b8a569c1b33.tar.gz |
[Backport] Security bug 1090543
Backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2254119:
Guard against UaF in NavigationRequest
This CL adds a check in NavigationRequest::OnWillProcessResponseProcessed to
return early if the call to ReadyToCommit leads to the deletion of the
NavigationRequest.
Bug: 1090543
Change-Id: Ida21db80caef1772f2f21c5d2449d3efe4dd1bb1
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/content/browser/frame_host/navigation_request.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chromium/content/browser/frame_host/navigation_request.cc b/chromium/content/browser/frame_host/navigation_request.cc index f6bef176125..cc38b2ebeab 100644 --- a/chromium/content/browser/frame_host/navigation_request.cc +++ b/chromium/content/browser/frame_host/navigation_request.cc @@ -3010,11 +3010,18 @@ void NavigationRequest::OnWillProcessResponseProcessed( DCHECK(processing_navigation_throttle_); processing_navigation_throttle_ = false; if (result.action() == NavigationThrottle::PROCEED) { + base::WeakPtr<NavigationRequest> weak_self(weak_factory_.GetWeakPtr()); // If the navigation is done processing the response, then it's ready to // commit. Inform observers that the navigation is now ready to commit, // unless it is not set to commit (204/205s/downloads). if (render_frame_host_) ReadyToCommitNavigation(false); + + // The call above might block on showing a user dialog. The interaction of + // the user with this dialog might result in the WebContents owning this + // NavigationRequest to be destroyed. Return if this is the case. + if (!weak_self) + return; } else { state_ = CANCELING; } |