From 691467ccbb87ccd558467e384f280aed122a85e2 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 15 Oct 2019 11:50:00 +0200
Subject: [Backport] CVE-2019-13673
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[inspector] Generate custom previews in the objects creation context.

Generating custom previews can invoke user specified JavaScript (via the
`window.devtoolsFormatters` custom formatters feature). These custom
formatters were previously invoked in the main page context, even for
objects coming from other `<iframe>`s. Instead of using the main
renderer context, we should instead generate the custom preview in the
creation context of the object.

Bug: chromium:997925
Change-Id: Ia07915cff6680153b6727e68117ed565e60bc1c2
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63476}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
---
 chromium/v8/src/inspector/custom-preview.cc  | 2 +-
 chromium/v8/src/inspector/custom-preview.h   | 6 +++---
 chromium/v8/src/inspector/injected-script.cc | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/chromium/v8/src/inspector/custom-preview.cc b/chromium/v8/src/inspector/custom-preview.cc
index 63d1d74ab81..974ab3382ad 100644
--- a/chromium/v8/src/inspector/custom-preview.cc
+++ b/chromium/v8/src/inspector/custom-preview.cc
@@ -242,10 +242,10 @@ void bodyCallback(const v8::FunctionCallbackInfo<v8::Value>& info) {
 }  // anonymous namespace
 
 void generateCustomPreview(int sessionId, const String16& groupName,
-                           v8::Local<v8::Context> context,
                            v8::Local<v8::Object> object,
                            v8::MaybeLocal<v8::Value> maybeConfig, int maxDepth,
                            std::unique_ptr<CustomPreview>* preview) {
+  v8::Local<v8::Context> context = object->CreationContext();
   v8::Isolate* isolate = context->GetIsolate();
   v8::MicrotasksScope microtasksScope(isolate,
                                       v8::MicrotasksScope::kDoNotRunMicrotasks);
diff --git a/chromium/v8/src/inspector/custom-preview.h b/chromium/v8/src/inspector/custom-preview.h
index 1ae8e25a4c7..1e8c74a154c 100644
--- a/chromium/v8/src/inspector/custom-preview.h
+++ b/chromium/v8/src/inspector/custom-preview.h
@@ -13,9 +13,9 @@ namespace v8_inspector {
 const int kMaxCustomPreviewDepth = 20;
 
 void generateCustomPreview(
-    int sessionId, const String16& groupName, v8::Local<v8::Context> context,
-    v8::Local<v8::Object> object, v8::MaybeLocal<v8::Value> config,
-    int maxDepth, std::unique_ptr<protocol::Runtime::CustomPreview>* preview);
+    int sessionId, const String16& groupName, v8::Local<v8::Object> object,
+    v8::MaybeLocal<v8::Value> config, int maxDepth,
+    std::unique_ptr<protocol::Runtime::CustomPreview>* preview);
 
 }  // namespace v8_inspector
 
diff --git a/chromium/v8/src/inspector/injected-script.cc b/chromium/v8/src/inspector/injected-script.cc
index f1eb4fecf30..e728f6b97d3 100644
--- a/chromium/v8/src/inspector/injected-script.cc
+++ b/chromium/v8/src/inspector/injected-script.cc
@@ -430,7 +430,7 @@ Response InjectedScript::wrapObjectMirror(
   if (!response.isSuccess()) return response;
   if (customPreviewEnabled && value->IsObject()) {
     std::unique_ptr<protocol::Runtime::CustomPreview> customPreview;
-    generateCustomPreview(sessionId, groupName, context, value.As<v8::Object>(),
+    generateCustomPreview(sessionId, groupName, value.As<v8::Object>(),
                           customPreviewConfig, maxCustomPreviewDepth,
                           &customPreview);
     if (customPreview) (*result)->setCustomPreview(std::move(customPreview));
-- 
cgit v1.2.1