diff options
| author | Alexander Cooper <alcooper@chromium.org> | 2020-07-23 17:00:40 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-08-11 14:49:11 +0000 |
| commit | f7859651865c0b4b511714f5d68faac76f6a6d70 (patch) | |
| tree | cf8ef4049819d993286a4fdbdfa5006113c4bd1c | |
| parent | 0eed9609606159c3cd5b9d1c47dab23b1a4abc75 (diff) | |
| download | qtwebengine-chromium-f7859651865c0b4b511714f5d68faac76f6a6d70.tar.gz | |
[Backport] CVE-2020-6551: Use after free in WebXR
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2314158:
Update FocusChanged notifiers to operate on a copy
These focus changed calls ultimately trigger javascript events. These
events could potentially run code that would modify the list of items
that the FocusChanged notifiers are notifying, and thus invalidate their
in-use iterators.
Fix this by having these methods iterate over a copy instead of the
member list.
Fixed: 1107815
Change-Id: I03fa08eeadc60736f3a3fae079253dbd3ee26476
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Klaus Weidner <klausw@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Auto-Submit: Alexander Cooper <alcooper@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791261}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/page/focus_controller.cc | 7 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/xr/xr.cc | 6 |
2 files changed, 11 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/page/focus_controller.cc b/chromium/third_party/blink/renderer/core/page/focus_controller.cc index 03eef54ac1e..19615ab1bcb 100644 --- a/chromium/third_party/blink/renderer/core/page/focus_controller.cc +++ b/chromium/third_party/blink/renderer/core/page/focus_controller.cc @@ -1326,7 +1326,12 @@ void FocusController::RegisterFocusChangedObserver( } void FocusController::NotifyFocusChangedObservers() const { - for (const auto& it : focus_changed_observers_) + // Since this eventually dispatches an event to the page, the page could add + // new observer, which would invalidate our iterators; so iterate over a copy + // of the observer list. + HeapHashSet<WeakMember<FocusChangedObserver>> observers = + focus_changed_observers_; + for (const auto& it : observers) it->FocusedFrameChanged(); } diff --git a/chromium/third_party/blink/renderer/modules/xr/xr.cc b/chromium/third_party/blink/renderer/modules/xr/xr.cc index 0f0a0c792c2..968a1a4dca1 100644 --- a/chromium/third_party/blink/renderer/modules/xr/xr.cc +++ b/chromium/third_party/blink/renderer/modules/xr/xr.cc @@ -524,7 +524,11 @@ XR::XR(LocalFrame& frame, int64_t ukm_source_id) void XR::FocusedFrameChanged() { // Tell all sessions that focus changed. - for (const auto& session : sessions_) { + // Since this eventually dispatches an event to the page, the page could + // create a new session which would invalidate our iterators; so iterate over + // a copy of the session map. + HeapHashSet<WeakMember<XRSession>> processing_sessions = sessions_; + for (const auto& session : processing_sessions) { session->OnFocusChanged(); } |