diff options
author | Marijn Kruisselbrink <mek@chromium.org> | 2019-01-31 00:15:16 +0000 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2019-03-25 10:01:21 +0000 |
commit | e8bb1f1a6b2877c86519749ffab34f94bb6a1028 (patch) | |
tree | 0012bf7cb6b84740d84098b79d35132a01342872 | |
parent | 9d8557937b0b7db7d32b0a820d737acbecc42b2e (diff) | |
download | qtwebengine-chromium-e8bb1f1a6b2877c86519749ffab34f94bb6a1028.tar.gz |
[Backport] CVE-2019-5788
Harden against overflows of OperationID a bit better.
Rather than having a UAF when OperationID overflows instead overwrite
the old operation with the new one. Can still cause weirdness, but at
least won't result in UAF. Also update OperationID to uint64_t to
make sure we don't overflow to begin with.
Bug: 925864
Reviewed-on: https://chromium-review.googlesource.com/c/1441498
Change-Id: Ie13274f1966a6d751a0f5e0ceaf7554afc2e2f2f
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/storage/browser/fileapi/file_system_operation_runner.cc | 3 | ||||
-rw-r--r-- | chromium/storage/browser/fileapi/file_system_operation_runner.h | 2 |
2 files changed, 3 insertions, 2 deletions
diff --git a/chromium/storage/browser/fileapi/file_system_operation_runner.cc b/chromium/storage/browser/fileapi/file_system_operation_runner.cc index fbda72b3cdf..a8b00657e34 100644 --- a/chromium/storage/browser/fileapi/file_system_operation_runner.cc +++ b/chromium/storage/browser/fileapi/file_system_operation_runner.cc @@ -701,7 +701,8 @@ FileSystemOperationRunner::BeginOperation( base::WeakPtr<BeginOperationScoper> scope) { OperationHandle handle; handle.id = next_operation_id_++; - operations_.emplace(handle.id, std::move(operation)); + DCHECK(operations_.find(handle.id) == operations_.end()); + operations_[handle.id] = std::move(operation); handle.scope = scope; return handle; } diff --git a/chromium/storage/browser/fileapi/file_system_operation_runner.h b/chromium/storage/browser/fileapi/file_system_operation_runner.h index a330f4802d5..97f9e0d8116 100644 --- a/chromium/storage/browser/fileapi/file_system_operation_runner.h +++ b/chromium/storage/browser/fileapi/file_system_operation_runner.h @@ -53,7 +53,7 @@ class STORAGE_EXPORT FileSystemOperationRunner using CopyOrMoveOption = FileSystemOperation::CopyOrMoveOption; using GetMetadataField = FileSystemOperation::GetMetadataField; - using OperationID = int; + using OperationID = uint64_t; virtual ~FileSystemOperationRunner(); |