From 50767ed3f44a7de92913cf505547a8863f4d667c Mon Sep 17 00:00:00 2001
From: Brandon Jones <bajones@chromium.org>
Date: Wed, 7 Dec 2022 01:45:54 +0000
Subject: [Backport] CVE-2023-0699: Use after free in GPU (2/2)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4083922:
Clear data if GetBucketContents early terminates

Follow up to
https://chromium-review.googlesource.com/c/chromium/src/+/4076865

Bug: 1371859
Change-Id: I33dbcd6e7e8094d44fe3d7623dc9c152224342e2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4083922
Commit-Queue: Brandon Jones <bajones@chromium.org>
Reviewed-by: Victor Miura <vmiura@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1080121}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460498
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/gpu/command_buffer/client/implementation_base.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/chromium/gpu/command_buffer/client/implementation_base.cc b/chromium/gpu/command_buffer/client/implementation_base.cc
index 8a3aa39c7fc..fc7d4c21447 100644
--- a/chromium/gpu/command_buffer/client/implementation_base.cc
+++ b/chromium/gpu/command_buffer/client/implementation_base.cc
@@ -302,6 +302,7 @@ bool ImplementationBase::GetBucketContents(uint32_t bucket_id,
         helper_->GetBucketData(bucket_id, offset, buffer.size(),
                                buffer.shm_id(), buffer.offset());
         if (!WaitForCmd()) {
+          data->clear();
           return false;
         }
       }
-- 
cgit v1.2.1