diff options
author | Jaroslav Sevcik <jarin@chromium.org> | 2022-11-29 05:29:05 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-01-06 15:47:02 +0000 |
commit | ce9155cc73d8a94f1536b96e841c0aee2ff7d921 (patch) | |
tree | 1964635e189bf8511e0c5660946977ef9e07e3a5 /chromium/ipc/ipc_mojo_bootstrap.cc | |
parent | 41b696164b7398f99ccddb39997a8e24d20fdeba (diff) | |
download | qtwebengine-chromium-ce9155cc73d8a94f1536b96e841c0aee2ff7d921.tar.gz |
[Backport] CVE-2022-4438: Use after free in Blink Frames
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4055626:
Make WidgetBase::BeginMainFrame resilient to disposed 'this'
This patch makes sure that WidgetBase::BeginMainFrame can finish
execution even if processing the RAF-throttled handlers
(DispatchRafAlignedInput) destroys 'this' instance.
(cherry picked from commit af6e22c14bec7ad64115b24ece6d423f144214ca)
Bug: chromium:1381871
Change-Id: I81aa4ba697f80f8666bb2a3b5542cac210b1efa9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4030809
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1072864}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4055626
Auto-Submit: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/branch-heads/5414@{#279}
Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/450081
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium/ipc/ipc_mojo_bootstrap.cc')
0 files changed, 0 insertions, 0 deletions