diff options
| author | Josh Karlin <jkarlin@chromium.org> | 2021-03-02 03:00:18 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-04-19 22:35:11 +0000 |
| commit | aac48dd2cd1f34beb4d29a409c24f1ff4f98213c (patch) | |
| tree | 80402c2b0bd3e025a7db17f0d6a346c52bbc3e3d /chromium/components/media_control | |
| parent | edc86cc74b9565c7d67341bbfa6efbe1859dbb8d (diff) | |
| download | qtwebengine-chromium-aac48dd2cd1f34beb4d29a409c24f1ff4f98213c.tar.gz | |
[Backport] CVE-2021-21214: Use after free in Network API
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2727306:
Fix removal of observers in NetworkStateNotifier
The NetworkStateNotifier has a per-thread list of observer pointers. If
one is deleted mid-iteration, what we do is replace the pointer in the
list with a 0, and add the index to the zeroed list of observers to
remove after iteration completes. Well, the removal step was broken
for cases where there were multiple elements to remove. It didn't adjust
for the fact that the indexes shifted after each removal.
Bug: 1170148
Change-Id: I446acaae5f8a805a58142848634a0ee8c5f90882
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Josh Karlin <jkarlin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#858853}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/components/media_control')
0 files changed, 0 insertions, 0 deletions