diff options
author | Dave Tapuska <dtapuska@chromium.org> | 2023-04-13 15:10:13 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-05 07:29:38 +0000 |
commit | ac74bd876b83b35ff85cfe274c277dd60bcbd856 (patch) | |
tree | 92a049b0e1ee561ce2f4880dba67d7bd7135f948 | |
parent | b9c61febbc35bdab43647cc74927ab65f5f83929 (diff) | |
download | qtwebengine-chromium-ac74bd876b83b35ff85cfe274c277dd60bcbd856.tar.gz |
[Backport] CVE-2023-1811: Use after free in Frames
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4372837:
[M108-LTS] Move the edit commands to an on stack variable
DevTools uses nested event loops and the usage of the class member can
be problematic for iteration because the nested loop can change the
variable's storage causing a UAF.
(cherry picked from commit d9b34f0f3a2d0dd73648eca3ef940fb66806227b)
Bug: 1420510
Change-Id: Ie08a71b60401fa4322cca0cc31062ba64672126a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4355811
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1120123}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4372837
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#1435}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/475988
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/frame/web_frame_widget_base.cc | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/frame/web_frame_widget_base.cc b/chromium/third_party/blink/renderer/core/frame/web_frame_widget_base.cc index 9a865d32a72..004531ffe62 100644 --- a/chromium/third_party/blink/renderer/core/frame/web_frame_widget_base.cc +++ b/chromium/third_party/blink/renderer/core/frame/web_frame_widget_base.cc @@ -1543,11 +1543,18 @@ void WebFrameWidgetBase::AddEditCommandForNextKeyEvent(const WebString& name, } bool WebFrameWidgetBase::HandleCurrentKeyboardEvent() { - bool did_execute_command = false; + if (edit_commands_.IsEmpty()) { + return false; + } WebLocalFrame* frame = FocusedWebLocalFrameInWidget(); if (!frame) frame = local_root_; - for (const auto& command : edit_commands_) { + bool did_execute_command = false; + // Executing an edit command can run JS and we can end up reassigning + // `edit_commands_` so move it to a stack variable before iterating on it. + Vector<mojom::blink::EditCommandPtr> edit_commands = + std::move(edit_commands_); + for (const auto& command : edit_commands) { // In gtk and cocoa, it's possible to bind multiple edit commands to one // key (but it's the exception). Once one edit command is not executed, it // seems safest to not execute the rest. |