diff options
| author | Dave Tapuska <dtapuska@chromium.org> | 2023-03-27 07:05:12 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-02 08:58:05 +0000 |
| commit | d6c41f42c6315694b2aa3f435fd5fc4dac578108 (patch) | |
| tree | 315b97cb3a3e1e844c07cb9ba281cac804e6291e | |
| parent | ee3b4cdf2ea07ba6804f997b0dd7d3f99abf7b83 (diff) | |
| download | qtwebengine-chromium-d6c41f42c6315694b2aa3f435fd5fc4dac578108.tar.gz | |
[Backport] CVE-2023-1811: Use after free in Frames
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4372837:
Move the edit commands to an on stack variable
DevTools uses nested event loops and the usage of the class member can
be problematic for iteration because the nested loop can change the
variable's storage causing a UAF.
Bug: 1420510
Change-Id: Ie08a71b60401fa4322cca0cc31062ba64672126a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4355811
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1120123}
(cherry picked from commit d9b34f0f3a2d0dd73648eca3ef940fb66806227b)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/474364
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc b/chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc index a069259312a..d541dde07f0 100644 --- a/chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc +++ b/chromium/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc @@ -3190,11 +3190,18 @@ void WebFrameWidgetImpl::AddEditCommandForNextKeyEvent(const WebString& name, } bool WebFrameWidgetImpl::HandleCurrentKeyboardEvent() { - bool did_execute_command = false; + if (edit_commands_.empty()) { + return false; + } WebLocalFrame* frame = FocusedWebLocalFrameInWidget(); if (!frame) frame = local_root_; - for (const auto& command : edit_commands_) { + bool did_execute_command = false; + // Executing an edit command can run JS and we can end up reassigning + // `edit_commands_` so move it to a stack variable before iterating on it. + Vector<mojom::blink::EditCommandPtr> edit_commands = + std::move(edit_commands_); + for (const auto& command : edit_commands) { // In gtk and cocoa, it's possible to bind multiple edit commands to one // key (but it's the exception). Once one edit command is not executed, it // seems safest to not execute the rest. |