diff options
author | Jana Grill <janagrill@google.com> | 2021-04-14 08:40:10 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2021-04-15 15:07:57 +0000 |
commit | 3fdc4e2948b2d6a8297d214ddee84a5c6b6ca5cb (patch) | |
tree | 283e8637df359702b62fd193d6543e29875ec360 | |
parent | eb3c33bf36498891c057e24d815444fc134c04ff (diff) | |
download | qtwebengine-chromium-3fdc4e2948b2d6a8297d214ddee84a5c6b6ca5cb.tar.gz |
[Backport] CVE-2021-21206: Use after free in Blink
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2821879:
Forbid script execution while updating the paint lifecycle.
(cherry picked from commit 5425d3b100fab533ea9ddc2ed8fbfc4870db0587)
Bug: 1196781
Change-Id: Idc8d24792d5c413691977b09ca821de4e13887ad
Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
Commit-Queue: Robert Flack <flackr@chromium.org>
Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#870275}
Reviewed-by: Robert Flack <flackr@chromium.org>
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Commit-Queue: Jana Grill <janagrill@chromium.org>
Cr-Commit-Position: refs/branch-heads/4240@{#1601}
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/frame/local_frame_view.cc | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc b/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc index 1a661a7f0bd..69aa0731cc2 100644 --- a/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc +++ b/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc @@ -2503,9 +2503,12 @@ bool LocalFrameView::UpdateLifecyclePhasesInternal( CompositorElementIdSet(); PushPaintArtifactToCompositor(composited_element_ids.value()); // TODO(wkorman): Add call to UpdateCompositorScrollAnimations here. - DocumentAnimations::UpdateAnimations(GetLayoutView()->GetDocument(), - DocumentLifecycle::kPaintClean, - composited_element_ids); + { + ScriptForbiddenScope forbid_script; + DocumentAnimations::UpdateAnimations(GetLayoutView()->GetDocument(), + DocumentLifecycle::kPaintClean, + composited_element_ids); + } // Notify the controller that the artifact has been pushed and some // lifecycle state can be freed (such as raster invalidations). |