[Backport] CVE-2022-1125

Fix UAF in JavaScriptTabModalDialogManagerDelegateDesktop See bug for more details. Backport review link: https://chromium-review.googlesource.com/c/chromium/src/+/3465258 Bug: 1292261 Change-Id: Iebe499b4eda76b1b190f5f7b97a0938eb22dc405 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Adithya Srinivasan <adithyas@chromium.org> 2022-02-25 18:28:35 +0000
committer: Michal Klocek <michal.klocek@qt.io> 2022-04-06 17:31:03 +0000
commit: 0336deeef1a026a74c1148a8272e7230b60243cf (patch)
tree: ace2cbf02ecf43b9ede477faa5925411d31d2b68
parent: 40371a7272ea99df68424cd49fc8443dd111c280 (diff)
download: qtwebengine-chromium-0336deeef1a026a74c1148a8272e7230b60243cf.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/chromium/content/browser/portal/portal.cc b/chromium/content/browser/portal/portal.cc
index 2565b98545c..aef23d78547 100644
--- a/chromium/content/browser/portal/portal.cc
+++ b/chromium/content/browser/portal/portal.cc
@@ -606,6 +606,11 @@ void Portal::ActivateImpl(blink::TransferableMessage data,
   devtools_instrumentation::PortalActivated(outer_contents->GetMainFrame());
   successor_contents_raw->set_portal(nullptr);
 
+  // It's important we call this before destroying the outer contents'
+  // RenderWidgetHostView, otherwise the dialog may not be cleaned up correctly.
+  // See crbug.com/1292261 for more details.
+  outer_contents->CancelActiveAndPendingDialogs();
+
   std::unique_ptr<WebContents> predecessor_web_contents =
       delegate->ActivatePortalWebContents(outer_contents,
                                           std::move(successor_contents));
author	Adithya Srinivasan <adithyas@chromium.org>	2022-02-25 18:28:35 +0000
committer	Michal Klocek <michal.klocek@qt.io>	2022-04-06 17:31:03 +0000
commit	0336deeef1a026a74c1148a8272e7230b60243cf (patch)
tree	ace2cbf02ecf43b9ede477faa5925411d31d2b68
parent	40371a7272ea99df68424cd49fc8443dd111c280 (diff)
download	qtwebengine-chromium-0336deeef1a026a74c1148a8272e7230b60243cf.tar.gz