[Backport] CVE-2022-1487: Use after free in Ozone

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3517354: WaylandWindow's parent_window use-after-free To insure the child_window access after parent's destruct doesn't have UAF, clear the parent_window of the child in dtor. Change-Id: I18ea65a76e715e98747588fbe75e1a37cbbe199c Bug: 1304368 Reviewed-by: Maksim Sisov <msisov@igalia.com> Commit-Queue: Kramer Ge <fangzhoug@chromium.org> Cr-Commit-Position: refs/heads/main@{#980391} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Kramer Ge <fangzhoug@chromium.org> 2022-03-14 00:07:44 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2022-05-20 15:08:39 +0000
commit: ae89c0c16bfc7de4b999f82159ed9aa8f814fb81 (patch)
tree: 717843d2bbd1ad4b649a7463dbae3976235d454a
parent: 92bb62539606a47f0370f0558a267fd9bc7e4e0c (diff)
download: qtwebengine-chromium-ae89c0c16bfc7de4b999f82159ed9aa8f814fb81.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/ui/ozone/platform/wayland/host/wayland_window.cc b/chromium/ui/ozone/platform/wayland/host/wayland_window.cc
index edc21c70b89..0b06d4bd93a 100644
--- a/chromium/ui/ozone/platform/wayland/host/wayland_window.cc
+++ b/chromium/ui/ozone/platform/wayland/host/wayland_window.cc
@@ -78,6 +78,9 @@ WaylandWindow::~WaylandWindow() {
 
   if (parent_window_)
     parent_window_->set_child_window(nullptr);
+
+  if (child_window_)
+    child_window_->set_parent_window(nullptr);
 }
 
 void WaylandWindow::OnWindowLostCapture() {
author	Kramer Ge <fangzhoug@chromium.org>	2022-03-14 00:07:44 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-05-20 15:08:39 +0000
commit	ae89c0c16bfc7de4b999f82159ed9aa8f814fb81 (patch)
tree	717843d2bbd1ad4b649a7463dbae3976235d454a
parent	92bb62539606a47f0370f0558a267fd9bc7e4e0c (diff)
download	qtwebengine-chromium-ae89c0c16bfc7de4b999f82159ed9aa8f814fb81.tar.gz