delta/qt5/qtwebengine-chromium.git - code.qt.io: qt/qtwebengine-chromium.git

diff options

author	Jaroslav Sevcik <jarin@chromium.org>	2022-11-29 05:29:05 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2023-01-06 15:47:02 +0000
commit	ce9155cc73d8a94f1536b96e841c0aee2ff7d921 (patch)
tree	1964635e189bf8511e0c5660946977ef9e07e3a5 /chromium/ipc/ipc_mojo_bootstrap.cc
parent	41b696164b7398f99ccddb39997a8e24d20fdeba (diff)
download	qtwebengine-chromium-ce9155cc73d8a94f1536b96e841c0aee2ff7d921.tar.gz

[Backport] CVE-2022-4438: Use after free in Blink Frames

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4055626: Make WidgetBase::BeginMainFrame resilient to disposed 'this' This patch makes sure that WidgetBase::BeginMainFrame can finish execution even if processing the RAF-throttled handlers (DispatchRafAlignedInput) destroys 'this' instance. (cherry picked from commit af6e22c14bec7ad64115b24ece6d423f144214ca) Bug: chromium:1381871 Change-Id: I81aa4ba697f80f8666bb2a3b5542cac210b1efa9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4030809 Reviewed-by: Dave Tapuska <dtapuska@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1072864} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4055626 Auto-Submit: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/branch-heads/5414@{#279} Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/450081 Reviewed-by: Michal Klocek <michal.klocek@qt.io>

Diffstat (limited to 'chromium/ipc/ipc_mojo_bootstrap.cc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: