diff options
author | Yoshisato Yanagisawa <yyanagisawa@chromium.org> | 2023-04-26 09:00:54 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:59:39 +0000 |
commit | b2e45eb044ca9ca6f95282904e88f0820493386d (patch) | |
tree | 9d60995ffb83b6e9d12636b48c263ec931f900ce /chromium | |
parent | 82304e12695dd5732839a649f15eaa4ce08abfe5 (diff) | |
download | qtwebengine-chromium-b2e45eb044ca9ca6f95282904e88f0820493386d.tar.gz |
[Backport] CVE-2023-2133: Out of bounds memory access in Service Worker API.
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4405896:
Use ScriptState::Scope instead of setting HandleScope.
M108 merge issues:
third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc:
Conflicting declarations for isolate
content_unittests_bundle_data.filelist:
Not present in 108, skipped; Only used in iOS tests on main
Since `GetEffectiveFunction` may call `Get` if the given v8 listener is
an object, we need to prepare `v8::Context::Scope` before calling it.
Blink already have a helper class to prepare the environment for the
script execution, which has already been used used in other
ServiceWorkerGlobalScope member functions. It is `ScriptState::Scope`
This CL also use it instead.
(cherry picked from commit 299385e09d41d5ce3abd434879b5f9b0a8880cd7)
Bug: 1429197
Change-Id: Idbcfdfa9c06160a18b57155a9540f72eed4ec0b8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4387655
Commit-Queue: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Auto-Submit: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1125148}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4405896
Reviewed-by: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#1448}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474620
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc index c66d232a655..b3a9f691a0f 100644 --- a/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc +++ b/chromium/third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc @@ -2602,12 +2602,15 @@ ServiceWorkerGlobalScope::FetchHandlerType() { if (!elv) { return mojom::blink::ServiceWorkerFetchHandlerType::kNoHandler; } - v8::Isolate* isolate = v8::Isolate::GetCurrent(); - v8::HandleScope handle_scope(isolate); + + ScriptState* script_state = ScriptController()->GetScriptState(); + // Do not remove this, |scope| is needed by `GetEffectiveFunction`. + ScriptState::Scope scope(script_state); + // TODO(crbug.com/1349613): revisit the way to implement this. // The following code returns kEmptyFetchHandler if all handlers are nop. for (RegisteredEventListener& e : *elv) { - EventTarget* et = EventTarget::Create(ScriptController()->GetScriptState()); + EventTarget* et = EventTarget::Create(script_state); v8::Local<v8::Value> v = To<JSBasedEventListener>(e.Callback())->GetEffectiveFunction(*et); if (!v->IsFunction() || |