diff options
author | Benoit Lize <lizeb@chromium.org> | 2023-03-21 11:14:20 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:58:17 +0000 |
commit | 77e9a6c5028a9712490d65214a9882143c329ec5 (patch) | |
tree | 56d393972456cd5dfe9d45ceb5ce23019e05a931 /chromium/third_party/blink/renderer/platform/bindings/parkable_string.h | |
parent | d6c41f42c6315694b2aa3f435fd5fc4dac578108 (diff) | |
download | qtwebengine-chromium-77e9a6c5028a9712490d65214a9882143c329ec5.tar.gz |
[Backport] CVE-2023-1812: Out of bounds memory access in DOM Bindings
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4357658:
Take encoding into account for ParkableString hashing
Hashing is used for string deduplication, must take encoding into
account. See linked bug for details.
(cherry picked from commit ab66c0409aece5bd57511792a3867920f31c589b)
Bug: 1418224
Change-Id: I63c024d0a97e44b1f3323cd1ca4d9e953c2beed1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4328136
Commit-Queue: Benoit Lize <lizeb@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1117528}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4357658
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Benoit Lize <lizeb@chromium.org>
Auto-Submit: Benoit Lize <lizeb@chromium.org>
Cr-Commit-Position: refs/branch-heads/5615@{#696}
Cr-Branched-From: 9c6408ef696e83a9936b82bbead3d41c93c82ee4-refs/heads/main@{#1109224}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474365
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/third_party/blink/renderer/platform/bindings/parkable_string.h')
-rw-r--r-- | chromium/third_party/blink/renderer/platform/bindings/parkable_string.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/platform/bindings/parkable_string.h b/chromium/third_party/blink/renderer/platform/bindings/parkable_string.h index 78e2185cced..0d607577347 100644 --- a/chromium/third_party/blink/renderer/platform/bindings/parkable_string.h +++ b/chromium/third_party/blink/renderer/platform/bindings/parkable_string.h @@ -57,6 +57,9 @@ class PLATFORM_EXPORT ParkableStringImpl final constexpr static size_t kDigestSize = 32; // SHA256. using SecureDigest = Vector<uint8_t, kDigestSize>; // Computes a secure hash of a |string|, to be passed to |MakeParkable()|. + // + // TODO(lizeb): This is the "right" way of hashing a string. Move this code + // into WTF, and make sure it's the only way that is used. static std::unique_ptr<SecureDigest> HashString(StringImpl* string); // Not all ParkableStringImpls are actually parkable. |