From 642c7bea74e22a9578944ff419fa9fa682adbab7 Mon Sep 17 00:00:00 2001 From: Adam Rice Date: Tue, 18 Feb 2020 06:43:52 +0000 Subject: [Backport] CVE-2020-6407: Out of bounds memory access in streams MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2032471 https://chromium-review.googlesource.com/c/chromium/src/+/2060221: Streams: Convert state DCHECKs to CHECKs Merge to release branch 3987. Original description: For "cheap" checks of state in the streams implementation, use CHECKs instead of DCHECKs. This will improve robustness against logic errors. BUG=1045931 TBR=yhirano@chromium.org (cherry picked from commit 122b074f0354079f3d9044cc14890dcfd2d72918) Change-Id: Ide564096a4aeb05e0e09a8fad9056b617dbcaf31 Reviewed-by: Jüri Valdmann --- .../streams/readable_stream_default_controller.cc | 6 +++--- .../core/streams/readable_stream_native.cc | 8 ++++---- .../core/streams/transform_stream_native.cc | 2 +- .../streams/writable_stream_default_controller.cc | 12 ++++++------ .../core/streams/writable_stream_default_writer.cc | 4 ++-- .../core/streams/writable_stream_native.cc | 22 +++++++++++----------- 6 files changed, 27 insertions(+), 27 deletions(-) diff --git a/chromium/third_party/blink/renderer/core/streams/readable_stream_default_controller.cc b/chromium/third_party/blink/renderer/core/streams/readable_stream_default_controller.cc index 653cab070a3..d9e69a72280 100644 --- a/chromium/third_party/blink/renderer/core/streams/readable_stream_default_controller.cc +++ b/chromium/third_party/blink/renderer/core/streams/readable_stream_default_controller.cc @@ -110,7 +110,7 @@ void ReadableStreamDefaultController::Close( // 2. Assert: ! ReadableStreamDefaultControllerCanCloseOrEnqueue(controller) // is true. - DCHECK(CanCloseOrEnqueue(controller)); + CHECK(CanCloseOrEnqueue(controller)); // 3. Set controller.[[closeRequested]] to true. controller->is_close_requested_ = true; @@ -136,7 +136,7 @@ void ReadableStreamDefaultController::Enqueue( // 2. Assert: ! ReadableStreamDefaultControllerCanCloseOrEnqueue(controller) // is true. - DCHECK(CanCloseOrEnqueue(controller)); + CHECK(CanCloseOrEnqueue(controller)); // 3. If ! IsReadableStreamLocked(stream) is true and ! // ReadableStreamGetNumReadRequests(stream) > 0, perform ! @@ -261,7 +261,7 @@ const char* ReadableStreamDefaultController::EnqueueExceptionMessage( if (state == ReadableStreamNative::kErrored) { return "Cannot enqueue a chunk into an errored readable stream"; } - DCHECK(state == ReadableStreamNative::kClosed); + CHECK(state == ReadableStreamNative::kClosed); return "Cannot enqueue a chunk into a closed readable stream"; } diff --git a/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc b/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc index 240f1003a37..49eaeb8a976 100644 --- a/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc +++ b/chromium/third_party/blink/renderer/core/streams/readable_stream_native.cc @@ -1333,7 +1333,7 @@ void ReadableStreamNative::Initialize(ReadableStreamNative* stream) { // initialised correctly. // https://streams.spec.whatwg.org/#initialize-readable-stream // 1. Set stream.[[state]] to "readable". - DCHECK_EQ(stream->state_, kReadable); + CHECK_EQ(stream->state_, kReadable); // 2. Set stream.[[reader]] and stream.[[storedError]] to undefined. DCHECK(!stream->reader_); DCHECK(stream->stored_error_.IsEmpty()); @@ -1452,7 +1452,7 @@ StreamPromiseResolver* ReadableStreamNative::AddReadRequest( DCHECK(stream->reader_); // 2. Assert: stream.[[state]] is "readable". - DCHECK_EQ(stream->state_, kReadable); + CHECK_EQ(stream->state_, kReadable); // 3. Let promise be a new promise. auto* promise = MakeGarbageCollected(script_state); @@ -1519,7 +1519,7 @@ void ReadableStreamNative::Close(ScriptState* script_state, ReadableStreamNative* stream) { // https://streams.spec.whatwg.org/#readable-stream-close // 1. Assert: stream.[[state]] is "readable". - DCHECK_EQ(stream->state_, kReadable); + CHECK_EQ(stream->state_, kReadable); // 2. Set stream.[[state]] to "closed". stream->state_ = kClosed; @@ -1606,7 +1606,7 @@ void ReadableStreamNative::Error(ScriptState* script_state, v8::Local e) { // https://streams.spec.whatwg.org/#readable-stream-error // 2. Assert: stream.[[state]] is "readable". - DCHECK_EQ(stream->state_, kReadable); + CHECK_EQ(stream->state_, kReadable); auto* isolate = script_state->GetIsolate(); // 3. Set stream.[[state]] to "errored". diff --git a/chromium/third_party/blink/renderer/core/streams/transform_stream_native.cc b/chromium/third_party/blink/renderer/core/streams/transform_stream_native.cc index 825cece3098..bb1879be172 100644 --- a/chromium/third_party/blink/renderer/core/streams/transform_stream_native.cc +++ b/chromium/third_party/blink/renderer/core/streams/transform_stream_native.cc @@ -488,7 +488,7 @@ class TransformStreamNative::DefaultSinkWriteAlgorithm final } // 4. Assert: state is "writable". - DCHECK(writable->IsWritable()); + CHECK(writable->IsWritable()); // 5. Return ! TransformStreamDefaultControllerPerformTransform( // controller, chunk). diff --git a/chromium/third_party/blink/renderer/core/streams/writable_stream_default_controller.cc b/chromium/third_party/blink/renderer/core/streams/writable_stream_default_controller.cc index 08652a65c0a..afded82d46d 100644 --- a/chromium/third_party/blink/renderer/core/streams/writable_stream_default_controller.cc +++ b/chromium/third_party/blink/renderer/core/streams/writable_stream_default_controller.cc @@ -146,8 +146,8 @@ void WritableStreamDefaultController::SetUp( // 16. Upon fulfillment of startPromise // a. Assert: stream.[[state]] is "writable" or "erroring". const auto state = stream_->GetState(); - DCHECK(state == WritableStreamNative::kWritable || - state == WritableStreamNative::kErroring); + CHECK(state == WritableStreamNative::kWritable || + state == WritableStreamNative::kErroring); // b. Set controller.[[started]] to true. WritableStreamDefaultController* controller = stream_->Controller(); @@ -178,8 +178,8 @@ void WritableStreamDefaultController::SetUp( // 17. Upon rejection of startPromise with reason r, // a. Assert: stream.[[state]] is "writable" or "erroring". const auto state = stream_->GetState(); - DCHECK(state == WritableStreamNative::kWritable || - state == WritableStreamNative::kErroring); + CHECK(state == WritableStreamNative::kWritable || + state == WritableStreamNative::kErroring); // b. Set controller.[[started]] to true. WritableStreamDefaultController* controller = stream_->Controller(); @@ -578,8 +578,8 @@ void WritableStreamDefaultController::ProcessWrite( const auto state = stream_->GetState(); // c. Assert: state is "writable" or "erroring". - DCHECK(state == WritableStreamNative::kWritable || - state == WritableStreamNative::kErroring); + CHECK(state == WritableStreamNative::kWritable || + state == WritableStreamNative::kErroring); // d. Perform ! DequeueValue(controller). controller_->queue_->DequeueValue(script_state->GetIsolate()); diff --git a/chromium/third_party/blink/renderer/core/streams/writable_stream_default_writer.cc b/chromium/third_party/blink/renderer/core/streams/writable_stream_default_writer.cc index de107de2f5c..146ac34d274 100644 --- a/chromium/third_party/blink/renderer/core/streams/writable_stream_default_writer.cc +++ b/chromium/third_party/blink/renderer/core/streams/writable_stream_default_writer.cc @@ -346,8 +346,8 @@ v8::Local WritableStreamDefaultWriter::CloseWithErrorPropagation( } // 6. Assert: state is "writable" or "erroring". - DCHECK(state == WritableStreamNative::kWritable || - state == WritableStreamNative::kErroring); + CHECK(state == WritableStreamNative::kWritable || + state == WritableStreamNative::kErroring); // 7. Return ! WritableStreamDefaultWriterClose(writer). return Close(script_state, writer); diff --git a/chromium/third_party/blink/renderer/core/streams/writable_stream_native.cc b/chromium/third_party/blink/renderer/core/streams/writable_stream_native.cc index 4c8477811ac..71c5e6fa5b4 100644 --- a/chromium/third_party/blink/renderer/core/streams/writable_stream_native.cc +++ b/chromium/third_party/blink/renderer/core/streams/writable_stream_native.cc @@ -316,7 +316,7 @@ v8::Local WritableStreamNative::Abort( } // 4. Assert: state is "writable" or "erroring". - DCHECK(state == kWritable || state == kErroring); + CHECK(state == kWritable || state == kErroring); // 5. Let wasAlreadyErroring be false. // 6. If state is "erroring", @@ -355,7 +355,7 @@ v8::Local WritableStreamNative::AddWriteRequest( DCHECK(IsLocked(stream)); // 2. Assert: stream.[[state]] is "writable". - DCHECK_EQ(stream->state_, kWritable); + CHECK_EQ(stream->state_, kWritable); // 3. Let promise be a new promise. auto* promise = MakeGarbageCollected(script_state); @@ -393,7 +393,7 @@ void WritableStreamNative::DealWithRejection(ScriptState* script_state, } // 3. Assert: state is "erroring". - DCHECK_EQ(state, kErroring); + CHECK_EQ(state, kErroring); // 4. Perform ! WritableStreamFinishErroring(stream). FinishErroring(script_state, stream); @@ -407,7 +407,7 @@ void WritableStreamNative::StartErroring(ScriptState* script_state, DCHECK(stream->stored_error_.IsEmpty()); // 2. Assert: stream.[[state]] is "writable". - DCHECK_EQ(stream->state_, kWritable); + CHECK_EQ(stream->state_, kWritable); // 3. Let controller be stream.[[writableStreamController]]. WritableStreamDefaultController* controller = @@ -444,7 +444,7 @@ void WritableStreamNative::FinishErroring(ScriptState* script_state, WritableStreamNative* stream) { // https://streams.spec.whatwg.org/#writable-stream-finish-erroring // 1. Assert: stream.[[state]] is "erroring". - DCHECK_EQ(stream->state_, kErroring); + CHECK_EQ(stream->state_, kErroring); // 2. Assert: ! WritableStreamHasOperationMarkedInFlight(stream) is false. DCHECK(!HasOperationMarkedInFlight(stream)); @@ -593,7 +593,7 @@ void WritableStreamNative::FinishInFlightWriteWithError( // 4. Assert: stream.[[state]] is "writable" or "erroring". const auto state = stream->state_; - DCHECK(state == kWritable || state == kErroring); + CHECK(state == kWritable || state == kErroring); // 5. Perform ! WritableStreamDealWithRejection(stream, error). DealWithRejection(script_state, stream, error); @@ -615,7 +615,7 @@ void WritableStreamNative::FinishInFlightClose(ScriptState* script_state, const auto state = stream->state_; // 5. Assert: stream.[[state]] is "writable" or "erroring". - DCHECK(state == kWritable || state == kErroring); + CHECK(state == kWritable || state == kErroring); // 6. If state is "erroring", if (state == kErroring) { @@ -669,7 +669,7 @@ void WritableStreamNative::FinishInFlightCloseWithError( // 4. Assert: stream.[[state]] is "writable" or "erroring". const auto state = stream->state_; - DCHECK(state == kWritable || state == kErroring); + CHECK(state == kWritable || state == kErroring); // 5. If stream.[[pendingAbortRequest]] is not undefined, if (stream->pending_abort_request_) { @@ -725,10 +725,10 @@ void WritableStreamNative::UpdateBackpressure(ScriptState* script_state, bool backpressure) { // https://streams.spec.whatwg.org/#writable-stream-update-backpressure // 1. Assert: stream.[[state]] is "writable". - DCHECK_EQ(stream->state_, kWritable); + CHECK_EQ(stream->state_, kWritable); // 2. Assert: ! WritableStreamCloseQueuedOrInFlight(stream) is false. - DCHECK(!CloseQueuedOrInFlight(stream)); + CHECK(!CloseQueuedOrInFlight(stream)); // 3. Let writer be stream.[[writer]]. WritableStreamDefaultWriter* writer = stream->writer_; @@ -800,7 +800,7 @@ void WritableStreamNative::RejectCloseAndClosedPromiseIfNeeded( WritableStreamNative* stream) { // https://streams.spec.whatwg.org/#writable-stream-reject-close-and-closed-promise-if-needed // // 1. Assert: stream.[[state]] is "errored". - DCHECK_EQ(stream->state_, kErrored); + CHECK_EQ(stream->state_, kErrored); auto* isolate = script_state->GetIsolate(); -- cgit v1.2.1