diff options
| author | Sergei Glazunov <glazunov@google.com> | 2021-02-11 23:23:55 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-04-12 08:45:28 +0000 |
| commit | 3e5d228b621854e4fe9e97f529808e30dbd291c3 (patch) | |
| tree | 4fce7c72749ed7256af36432d97a584b46dae0ec | |
| parent | 4e9b94e56efcc4c992a29a125c7007bd57e5cac6 (diff) | |
| download | qtwebengine-chromium-3e5d228b621854e4fe9e97f529808e30dbd291c3.tar.gz | |
[Backport] CVE-2021-21156: Heap buffer overflow in V8
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2691314:
Use a copy for transferring non detachable buffers
Currently, |DOMArrayBuffer::Transfer()| makes a copy, but still uses
the original buffer for transferring, thus making it possible to share a
regular ArrayBuffer (not SAB) with multiple threads.
Bug: 1177341
Change-Id: Idb48deb1698fe555f32531bc04b55dd3e1fb0a06
Reviewed-by: Srinivas Sista <srinivassista@chromium.org>
Cr-Commit-Position: refs/branch-heads/4145@{#6}
Cr-Branched-From: 247755238324ad7d4f4b4420523b887e49df2e48-refs/heads/master@{#768051}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc | 15 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h | 2 |
2 files changed, 15 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc index e4e9c0a05eb..54b3be79f0c 100644 --- a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +++ b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc @@ -44,13 +44,24 @@ bool DOMArrayBuffer::Transfer(v8::Isolate* isolate, to_transfer = DOMArrayBuffer::Create(Buffer()->Data(), Buffer()->ByteLength()); } + return to_transfer->TransferNeuterable(isolate, result); +} + +bool DOMArrayBuffer::TransferNeuterable(v8::Isolate* isolate, + WTF::ArrayBufferContents& result) { + DCHECK(IsNeuterable(isolate)); + + if (IsNeutered()) { + result.Neuter(); + return false; + } - if (!to_transfer->Buffer()->Transfer(result)) + if (!Buffer()->Transfer(result)) return false; Vector<v8::Local<v8::ArrayBuffer>, 4> buffer_handles; v8::HandleScope handle_scope(isolate); - AccumulateArrayBuffersForAllWorlds(isolate, to_transfer, buffer_handles); + AccumulateArrayBuffersForAllWorlds(isolate, this, buffer_handles); for (const auto& buffer_handle : buffer_handles) buffer_handle->Neuter(); diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h index e07467790a2..53b053214a8 100644 --- a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h +++ b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h @@ -54,6 +54,8 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase { v8::Local<v8::Object> creation_context) override; private: + bool TransferNeuterable(v8::Isolate*, WTF::ArrayBufferContents& result); + explicit DOMArrayBuffer(scoped_refptr<WTF::ArrayBuffer> buffer) : DOMArrayBufferBase(std::move(buffer)) {} }; |