diff options
author | Kramer Ge <fangzhoug@chromium.org> | 2022-03-14 00:07:44 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-20 15:08:39 +0000 |
commit | ae89c0c16bfc7de4b999f82159ed9aa8f814fb81 (patch) | |
tree | 717843d2bbd1ad4b649a7463dbae3976235d454a | |
parent | 92bb62539606a47f0370f0558a267fd9bc7e4e0c (diff) | |
download | qtwebengine-chromium-ae89c0c16bfc7de4b999f82159ed9aa8f814fb81.tar.gz |
[Backport] CVE-2022-1487: Use after free in Ozone
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3517354:
WaylandWindow's parent_window use-after-free
To insure the child_window access after parent's destruct doesn't have
UAF, clear the parent_window of the child in dtor.
Change-Id: I18ea65a76e715e98747588fbe75e1a37cbbe199c
Bug: 1304368
Reviewed-by: Maksim Sisov <msisov@igalia.com>
Commit-Queue: Kramer Ge <fangzhoug@chromium.org>
Cr-Commit-Position: refs/heads/main@{#980391}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/ui/ozone/platform/wayland/host/wayland_window.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/ui/ozone/platform/wayland/host/wayland_window.cc b/chromium/ui/ozone/platform/wayland/host/wayland_window.cc index edc21c70b89..0b06d4bd93a 100644 --- a/chromium/ui/ozone/platform/wayland/host/wayland_window.cc +++ b/chromium/ui/ozone/platform/wayland/host/wayland_window.cc @@ -78,6 +78,9 @@ WaylandWindow::~WaylandWindow() { if (parent_window_) parent_window_->set_child_window(nullptr); + + if (child_window_) + child_window_->set_parent_window(nullptr); } void WaylandWindow::OnWindowLostCapture() { |