diff options
| author | Hongchan Choi <hongchan@chromium.org> | 2023-01-25 20:31:15 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-04 11:26:04 +0000 |
| commit | 799ad56b699eaf3586e6379b279c2563b3f3d4b4 (patch) | |
| tree | 19e1a7f164c285302aee2c04ff6d3f875cfd20c9 /chromium/build/linux | |
| parent | 9dd9b39ef9d0e6db80e598d5ad2a2b98451f5323 (diff) | |
| download | qtwebengine-chromium-799ad56b699eaf3586e6379b279c2563b3f3d4b4.tar.gz | |
[Backport] CVE-2023-1222: Heap buffer overflow in Web Audio API
Manual backport of patch originallt reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4150813:
Handle a transitory state of context/destination correctly for AudioWorklet operation
When the context resumes from a suspended state, it is possible for
the internal (destination) and the external (context) state to be
different in a rare case. This allows the non-worklet thread to
touch the worklet-related objects, which can causes invalid access
to the V8-managed memory space.
This CL adds a check; if the context state is suspended it swaps
the task runner right away without waiting until a resume() promise
is resolved.
Bug: 1403515
Test: The provided repro case doesn't crash ASAN anymore.
Change-Id: Ic2ea7b0337c444b7dc7d9d8b7195ed3e9ac3955f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4150813
Reviewed-by: Michael Wilson <mjwilson@chromium.org>
Commit-Queue: Hongchan Choi <hongchan@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1096948}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469844
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium/build/linux')
0 files changed, 0 insertions, 0 deletions