diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-07-31 12:05:40 +0200 |
---|---|---|
committer | Jüri Valdmann <juri.valdmann@qt.io> | 2019-08-05 08:41:27 +0000 |
commit | 687e6c44d85e93f8e789e5378779baa624900ba5 (patch) | |
tree | 3018fda0f595154b7a21651e74f59acc98b787bc /chromium/third_party/mach_override | |
parent | bf972a73b09258e3d934aa037b5fd5f5e643a620 (diff) | |
download | qtwebengine-chromium-687e6c44d85e93f8e789e5378779baa624900ba5.tar.gz |
[Backport] CVE-2019-5851
Avoid accessing context's fields after destruction
AudioHandler::Context() returns an untraced raw pointer to the
context so checking its value might be pointing some non-null
garbage after the context is gone. In that case, invoking
GetExecutionContext() might return a pointer to some random
memory space.
By checking a local flag on ExecutionContext's validity,
we can avoid such memory access.
Bug: 977107
Test: ASAN build does not crash on a repro code with the fix.
Change-Id: I19020e019cc3d9d52de3bebbe23129e7dd7b0a5e
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Hongchan Choi <hongchan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#676431}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat (limited to 'chromium/third_party/mach_override')
0 files changed, 0 insertions, 0 deletions