diff options
| author | Joey Arhar <jarhar@chromium.org> | 2022-12-07 03:52:32 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-12-08 15:23:07 +0000 |
| commit | e6541fea057160ae8bb1bd7f93d64a6fcf8ec4fa (patch) | |
| tree | fd3532bfa91d09c4496b53e8ee10df233fd86875 | |
| parent | ff9819107ceb3e0e1137116d995fba752fdcab98 (diff) | |
| download | qtwebengine-chromium-e6541fea057160ae8bb1bd7f93d64a6fcf8ec4fa.tar.gz | |
[Backport] CVE-2022-4181: Use after free in Forms
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4033088:
Avoid use-after-free in ValidationMessageOverlayDelegate
When ValidationMessageOverlayDelegate calls
ForceSynchronousDocumentInstall, it can somehow cause another validation
overlay to be created and delete the ValidationMessageOverlayDelegate.
This patch avoids additional code from being run inside the deleted
ValidationMessageOverlayDelegate.
(cherry picked from commit a37b66ded21af7ff1442bddd2ec3a0845535b3d6)
(cherry picked from commit fb2bc66e8483c76ce56d2021e2ff82883bd16f87)
Fixed: 1382581
Change-Id: I044f91ecb55c77c4a5c40030b6856fc9a8ac7f6f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4019655
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Cr-Original-Original-Commit-Position: refs/heads/main@{#1071652}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4032526
Auto-Submit: Joey Arhar <jarhar@chromium.org>
Commit-Queue: David Baron <dbaron@chromium.org>
Cr-Original-Commit-Position: refs/branch-heads/5414@{#85}
Cr-Original-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4033088
Owners-Override: Achuith Bhandarkar <achuith@chromium.org>
Commit-Queue: Zakhar Voit <voit@google.com>
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Cr-Commit-Position: refs/branch-heads/5005@{#1398}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/447551
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc | 15 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h | 4 |
2 files changed, 18 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc b/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc index c91fe76dd0f..f86c25b6507 100644 --- a/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc +++ b/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.cc @@ -81,6 +81,8 @@ ValidationMessageOverlayDelegate::~ValidationMessageOverlayDelegate() { EventDispatchForbiddenScope::AllowUserAgentEvents allow_events; page_->WillBeDestroyed(); } + if (destroyed_ptr_) + *destroyed_ptr_ = true; } LocalFrameView& ValidationMessageOverlayDelegate::FrameView() const { @@ -175,7 +177,18 @@ void ValidationMessageOverlayDelegate::CreatePage(const FrameOverlay& overlay) { // Propagate deprecated DSF for platforms without use-zoom-for-dsf. page_->SetDeviceScaleFactorDeprecated( main_page_->DeviceScaleFactorDeprecated()); - frame->ForceSynchronousDocumentInstall("text/html", data); + + // ForceSynchronousDocumentInstall can cause another call to + // ValidationMessageClientImpl::ShowValidationMessage, which will hide this + // validation message and may even delete this. In order to avoid continuing + // when this is destroyed, |destroyed| will be set to true in the destructor. + bool destroyed = false; + DCHECK(!destroyed_ptr_); + destroyed_ptr_ = &destroyed; + frame->ForceSynchronousDocumentInstall("text/html", data); + if (destroyed) + return; + destroyed_ptr_ = nullptr; Element& main_message = GetElementById("main-message"); main_message.setTextContent(message_); diff --git a/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h b/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h index e3dfbb49c89..1a6de139e74 100644 --- a/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h +++ b/chromium/third_party/blink/renderer/core/page/validation_message_overlay_delegate.h @@ -69,6 +69,10 @@ class CORE_EXPORT ValidationMessageOverlayDelegate String sub_message_; TextDirection message_dir_; TextDirection sub_message_dir_; + + // Used by CreatePage() to determine if this has been deleted in the middle of + // the function. + bool* destroyed_ptr_ = nullptr; }; } // namespace blink |