diff options
author | Danil Somsikov <dsv@chromium.org> | 2023-01-20 15:04:49 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-02-20 15:06:22 +0000 |
commit | 7ced3e282452681f2743f6ca56bc44f1cf94442f (patch) | |
tree | 5726564d65b19d68e3e882a9b35a0e9495a874e2 /chromium | |
parent | 57f59ff7b955d773a3aa80098f073b2c10691581 (diff) | |
download | qtwebengine-chromium-7ced3e282452681f2743f6ca56bc44f1cf94442f.tar.gz |
[Backport] CVE-2023-0703: Type Confusion in DevTools
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4183821:
Check arguments type in DevToolsHost.showContextMenuAtPoint
(cherry picked from commit 954e76692edf965e588ee80350c20ad403f82ea0)
Bug: 1405574
Change-Id: Id06637839096402e05a2278b06f2f84b3037e21d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4165089
Auto-Submit: Danil Somsikov <dsv@chromium.org>
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1093205}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4183821
Cr-Commit-Position: refs/branch-heads/5481@{#498}
Cr-Branched-From: 130f3e4d850f4bc7387cfb8d08aa993d288a67a9-refs/heads/main@{#1084008}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/461067
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc b/chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc index 1b58cf41d25..0732e2d0cef 100644 --- a/chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc +++ b/chromium/third_party/blink/renderer/bindings/core/v8/custom/v8_dev_tools_host_custom.cc @@ -65,8 +65,13 @@ static bool PopulateContextMenuItems(v8::Isolate* isolate, std::vector<MenuItemInfo>& items) { v8::Local<v8::Context> context = isolate->GetCurrentContext(); for (uint32_t i = 0; i < item_array->Length(); ++i) { - v8::Local<v8::Object> item = - item_array->Get(context, i).ToLocalChecked().As<v8::Object>(); + v8::Local<v8::Value> item_value = + item_array->Get(context, i).ToLocalChecked(); + if (!item_value->IsObject()) { + return false; + } + v8::Local<v8::Object> item = item_value.As<v8::Object>(); + v8::Local<v8::Value> type; v8::Local<v8::Value> id; v8::Local<v8::Value> label; |