From 232288de9e12c0c4fb8b5686a7fe81280ee4852f Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Mon, 29 Jan 2018 11:44:30 +0100 Subject: [Backport] Validate frame after conversion in chrome.send BUG=797511 TEST=Manually, see https://crbug.com/797511#c1 TBR=rob@robwu.nl (cherry picked from commit 90585e657db48f93bd73bc45d4caa975323da41b) Reviewed-on: https://chromium-review.googlesource.com/844076 Commit-Queue: Rob Wu Reviewed-by: Kentaro Hara Cr-Original-Commit-Position: refs/heads/master@{#526197} Reviewed-on: https://chromium-review.googlesource.com/874471 Reviewed-by: Rob Wu Cr-Commit-Position: refs/branch-heads/3282@{#541} (CVE-2018-6054) Change-Id: I4ae431b43251c018e21442551acc36e9b9e1caa3 Reviewed-by: Michal Klocek --- chromium/content/renderer/web_ui_extension.cc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/chromium/content/renderer/web_ui_extension.cc b/chromium/content/renderer/web_ui_extension.cc index 802bd7a0e61..c14313283f1 100644 --- a/chromium/content/renderer/web_ui_extension.cc +++ b/chromium/content/renderer/web_ui_extension.cc @@ -124,6 +124,13 @@ void WebUIExtension::Send(gin::Arguments* args) { content = base::ListValue::From(V8ValueConverter::Create()->FromV8Value( obj, frame->MainWorldScriptContext())); DCHECK(content); + // The conversion of |obj| could have triggered arbitrary JavaScript code, + // so check that the frame is still valid to avoid dereferencing a stale + // pointer. + if (frame != blink::WebLocalFrame::FrameForCurrentContext()) { + NOTREACHED(); + return; + } } // Send the message up to the browser. -- cgit v1.2.1