diff options
author | Adithya Srinivasan <adithyas@chromium.org> | 2022-02-25 18:28:35 +0000 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2022-04-06 17:31:03 +0000 |
commit | 0336deeef1a026a74c1148a8272e7230b60243cf (patch) | |
tree | ace2cbf02ecf43b9ede477faa5925411d31d2b68 | |
parent | 40371a7272ea99df68424cd49fc8443dd111c280 (diff) | |
download | qtwebengine-chromium-0336deeef1a026a74c1148a8272e7230b60243cf.tar.gz |
[Backport] CVE-2022-1125
Fix UAF in JavaScriptTabModalDialogManagerDelegateDesktop
See bug for more details.
Backport review link:
https://chromium-review.googlesource.com/c/chromium/src/+/3465258
Bug: 1292261
Change-Id: Iebe499b4eda76b1b190f5f7b97a0938eb22dc405
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/content/browser/portal/portal.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/chromium/content/browser/portal/portal.cc b/chromium/content/browser/portal/portal.cc index 2565b98545c..aef23d78547 100644 --- a/chromium/content/browser/portal/portal.cc +++ b/chromium/content/browser/portal/portal.cc @@ -606,6 +606,11 @@ void Portal::ActivateImpl(blink::TransferableMessage data, devtools_instrumentation::PortalActivated(outer_contents->GetMainFrame()); successor_contents_raw->set_portal(nullptr); + // It's important we call this before destroying the outer contents' + // RenderWidgetHostView, otherwise the dialog may not be cleaned up correctly. + // See crbug.com/1292261 for more details. + outer_contents->CancelActiveAndPendingDialogs(); + std::unique_ptr<WebContents> predecessor_web_contents = delegate->ActivatePortalWebContents(outer_contents, std::move(successor_contents)); |