diff options
| author | Jaroslav Sevcik <jarin@chromium.org> | 2022-11-29 05:29:05 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-01-06 15:47:02 +0000 |
| commit | ce9155cc73d8a94f1536b96e841c0aee2ff7d921 (patch) | |
| tree | 1964635e189bf8511e0c5660946977ef9e07e3a5 | |
| parent | 41b696164b7398f99ccddb39997a8e24d20fdeba (diff) | |
| download | qtwebengine-chromium-ce9155cc73d8a94f1536b96e841c0aee2ff7d921.tar.gz | |
[Backport] CVE-2022-4438: Use after free in Blink Frames
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4055626:
Make WidgetBase::BeginMainFrame resilient to disposed 'this'
This patch makes sure that WidgetBase::BeginMainFrame can finish
execution even if processing the RAF-throttled handlers
(DispatchRafAlignedInput) destroys 'this' instance.
(cherry picked from commit af6e22c14bec7ad64115b24ece6d423f144214ca)
Bug: chromium:1381871
Change-Id: I81aa4ba697f80f8666bb2a3b5542cac210b1efa9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4030809
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1072864}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4055626
Auto-Submit: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/5414@{#279}
Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/450081
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/platform/widget/widget_base.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/platform/widget/widget_base.cc b/chromium/third_party/blink/renderer/platform/widget/widget_base.cc index 497f1622e1e..73cfef43e0f 100644 --- a/chromium/third_party/blink/renderer/platform/widget/widget_base.cc +++ b/chromium/third_party/blink/renderer/platform/widget/widget_base.cc @@ -546,8 +546,14 @@ void WidgetBase::BeginMainFrame(base::TimeTicks frame_time) { if (ShouldRecordBeginMainFrameMetrics()) { raf_aligned_input_start_time = base::TimeTicks::Now(); } + + auto weak_this = weak_ptr_factory_.GetWeakPtr(); widget_input_handler_manager_->input_event_queue()->DispatchRafAlignedInput( frame_time); + // DispatchRafAlignedInput could have detached the frame. + if (!weak_this) + return; + if (ShouldRecordBeginMainFrameMetrics()) { client_->RecordDispatchRafAlignedInputTime(raf_aligned_input_start_time); } |