diff options
author | Rune Lillesveen <futhark@chromium.org> | 2021-03-30 18:36:59 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-05-07 08:27:34 +0000 |
commit | 1fec1bec9bc17067a5128eb6d8bcdb822928acd5 (patch) | |
tree | f216e28271b66f72e252e82bd7d4421af9480449 | |
parent | a87ec5b7e50e40982e1cc7881a527d8246eeac43 (diff) | |
download | qtwebengine-chromium-1fec1bec9bc17067a5128eb6d8bcdb822928acd5.tar.gz |
[Backport] CVE-2021-21203: Use after free in Blink
Cherry-pick of commit originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2792423:
Don't erase InterpolationTypes used by other documents
A registered custom property in one document caused the entry for the
same custom property (unregistered) used in another document to be
deleted, which caused a use-after-free.
Only store the CSSDefaultInterpolationType for unregistered custom
properties and never store registered properties in the map. They may
have different types in different documents when registered.
Bug: 1192054
Change-Id: I1af03d0a298795db99acc9c62f0d0fff8a5e801d
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Reviewed-by: Robert Flack <flackr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#867692}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc | 26 |
1 files changed, 10 insertions, 16 deletions
diff --git a/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc b/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc index 5d76ade2851..179364c5d46 100644 --- a/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc +++ b/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc @@ -76,28 +76,22 @@ const InterpolationTypes& CSSInterpolationTypesMap::Get( DEFINE_STATIC_LOCAL(ApplicableTypesMap, all_applicable_types_map, ()); DEFINE_STATIC_LOCAL(ApplicableTypesMap, composited_applicable_types_map, ()); - ApplicableTypesMap& applicable_types_map = - allow_all_animations_ ? all_applicable_types_map - : composited_applicable_types_map; - - auto entry = applicable_types_map.find(property); - bool found_entry = entry != applicable_types_map.end(); - // Custom property interpolation types may change over time so don't trust the - // applicableTypesMap without checking the registry. + // applicable_types_map without checking the registry. Also since the static + // map is shared between documents, the registered type may be different in + // the different documents. if (registry_ && property.IsCSSCustomProperty()) { - const auto* registration = GetRegistration(registry_.Get(), property); - if (registration) { - if (found_entry) { - applicable_types_map.erase(entry); - } + if (const auto* registration = GetRegistration(registry_, property)) return registration->GetInterpolationTypes(); - } } - if (found_entry) { + ApplicableTypesMap& applicable_types_map = + allow_all_animations_ ? all_applicable_types_map + : composited_applicable_types_map; + + auto entry = applicable_types_map.find(property); + if (entry != applicable_types_map.end()) return *entry->value; - } std::unique_ptr<InterpolationTypes> applicable_types = std::make_unique<InterpolationTypes>(); |