diff options
author | Andrey Kosyakov <caseq@chromium.org> | 2020-04-18 00:07:39 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-23 08:16:52 +0000 |
commit | 7e405525e92dc4f77c59c891e9add4bb5f120fe9 (patch) | |
tree | 4b519694eb8a83e336a4ff5720bcb16452d8d2ce | |
parent | 288befc5a1e59a30bac5aa26b82e8b8a569c1b33 (diff) | |
download | qtwebengine-chromium-7e405525e92dc4f77c59c891e9add4bb5f120fe9.tar.gz |
[Backport] CVE-2020-6530: Out of bounds memory access in
developer tools
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2154228:
DevTools: check whether Fetch domain is enabled before handling commands
Bug: 1016278
Change-Id: Icd80e3b287f090ffb4ac67437e7e1ebae392c98b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/content/browser/devtools/protocol/fetch_handler.cc | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/chromium/content/browser/devtools/protocol/fetch_handler.cc b/chromium/content/browser/devtools/protocol/fetch_handler.cc index fad1d3ccb74..de13df7a67a 100644 --- a/chromium/content/browser/devtools/protocol/fetch_handler.cc +++ b/chromium/content/browser/devtools/protocol/fetch_handler.cc @@ -316,6 +316,10 @@ void FetchHandler::ContinueWithAuth( void FetchHandler::GetResponseBody( const String& requestId, std::unique_ptr<GetResponseBodyCallback> callback) { + if (!interceptor_) { + callback->sendFailure(Response::Error("Fetch domain is not enabled")); + return; + } auto weapped_callback = std::make_unique<CallbackWrapper< GetResponseBodyCallback, DevToolsURLLoaderInterceptor::GetResponseBodyForInterceptionCallback, @@ -326,6 +330,10 @@ void FetchHandler::GetResponseBody( void FetchHandler::TakeResponseBodyAsStream( const String& requestId, std::unique_ptr<TakeResponseBodyAsStreamCallback> callback) { + if (!interceptor_) { + callback->sendFailure(Response::Error("Fetch domain is not enabled")); + return; + } interceptor_->TakeResponseBodyPipe( requestId, base::BindOnce(&FetchHandler::OnResponseBodyPipeTaken, |