diff options
author | Monica Basta <msalama@chromium.org> | 2022-07-19 07:49:03 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-08 15:25:02 +0000 |
commit | d750645e434057ae3d8426eed931fd48d32c1ed7 (patch) | |
tree | 88dd527baf444cbb68c8d6708f6e00be45765e82 /chromium | |
parent | 577388738e0025c415606b97e82a88ff3f090357 (diff) | |
download | qtwebengine-chromium-d750645e434057ae3d8426eed931fd48d32c1ed7.tar.gz |
[Backport] CVE-2022-2614: Use after free in Sign-In Flow
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3770271:
Use WeakPtr in AccountReconcilor to avoid UAF
(cherry picked from commit f65ea3435ff2a10b4e1ce1f855863e8eaa127a04)
Bug: 1341907
Change-Id: I14e8d263e3a5f073d61677fedd53c67395382742
Commit-Queue: David Roger <droger@chromium.org>
Reviewed-by: David Roger <droger@chromium.org>
Commit-Queue: Monica Basta <msalama@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1022147}
Reviewed-by: Monica Basta <msalama@chromium.org>
Cr-Commit-Position: refs/branch-heads/5112@{#1011}
Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/components/signin/core/browser/account_reconcilor.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/components/signin/core/browser/account_reconcilor.cc b/chromium/components/signin/core/browser/account_reconcilor.cc index 7e4dc75f045..a19f9646c5f 100644 --- a/chromium/components/signin/core/browser/account_reconcilor.cc +++ b/chromium/components/signin/core/browser/account_reconcilor.cc @@ -758,7 +758,7 @@ void AccountReconcilor::ScheduleStartReconcileIfChromeAccountsChanged() { SetState(AccountReconcilorState::ACCOUNT_RECONCILOR_SCHEDULED); base::ThreadTaskRunnerHandle::Get()->PostTask( FROM_HERE, base::BindOnce(&AccountReconcilor::StartReconcile, - base::Unretained(this), + weak_factory_.GetWeakPtr(), Trigger::kTokenChangeDuringReconcile)); } else if (error_during_last_reconcile_.state() == GoogleServiceAuthError::NONE) { |