diff options
author | Adam Rice <ricea@chromium.org> | 2021-01-28 11:14:43 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-04-06 08:56:06 +0000 |
commit | b52696bdea60ac2b536b5c7192232f560f8ce191 (patch) | |
tree | 2bdb771e43b6012009144ee28cfb24b9dedd86c5 | |
parent | ba310eea830a7286fecf70f6daf4ac25c56c17d4 (diff) | |
download | qtwebengine-chromium-b52696bdea60ac2b536b5c7192232f560f8ce191.tar.gz |
[Backport] CVE-2021-21157: Use after free in Web Sockets
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2655089:
WebSocket: Don't clear event queue on destruction
It's unnecessary to clear the event queue as it will be garbage
collected anyway. Stop doing it.
Also add a unit test for GC with pending events. This can only happen if
the execution context changes while the events are pending.
BUG=1170657
Change-Id: I01e5a687587f7471e88640c43f0dfe83e5c01bd1
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Adam Rice <ricea@chromium.org>
Cr-Commit-Position: refs/heads/master@{#848065}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc b/chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc index 7c97e3bc815..28c6c4d179e 100644 --- a/chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc +++ b/chromium/third_party/blink/renderer/modules/websockets/dom_websocket.cc @@ -75,8 +75,8 @@ DOMWebSocket::EventQueue::EventQueue(EventTarget* target) this, &EventQueue::ResumeTimerFired) {} -DOMWebSocket::EventQueue::~EventQueue() { - ContextDestroyed(); +DOMWebSocket::EventQueue::~EventQueue() { + resume_timer_.Stop(); } void DOMWebSocket::EventQueue::Dispatch(Event* event) { |