diff options
| author | Kevin Ellis <kevers@chromium.org> | 2021-01-18 22:39:20 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2021-04-09 10:51:20 +0000 |
| commit | 4e9b94e56efcc4c992a29a125c7007bd57e5cac6 (patch) | |
| tree | c88142e0f2ad6b3c31122ef7c26bfdfdc7339be4 | |
| parent | 70fbd69ee6c2560ff5b483f1bb23678267dfca2b (diff) | |
| download | qtwebengine-chromium-4e9b94e56efcc4c992a29a125c7007bd57e5cac6.tar.gz | |
[Backport] CVE-2021-21188: Use after free in Blink.
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2636213:
Test for persistent execution context during Animatable::animate.
Prior to the patch, the validity of the execution context was only
checked on entry to the method; however, the execution context can
be invalidated during the course of parsing keyframes or options.
The parsing of options is upstream of Animatable::animate and caught by
the existing check, but invalidation during keyframe parsing could fall
through triggering a crash.
Bug: 1161739
Change-Id: Ic0fc927d1d6ce902592bf92261fd4c506e96afac
Commit-Queue: Kevin Ellis <kevers@chromium.org>
Reviewed-by: Robert Flack <flackr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#844622}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/animation/element_animation.cc | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/animation/element_animation.cc b/chromium/third_party/blink/renderer/core/animation/element_animation.cc index 4369fa97758..814e243a529 100644 --- a/chromium/third_party/blink/renderer/core/animation/element_animation.cc +++ b/chromium/third_party/blink/renderer/core/animation/element_animation.cc @@ -36,12 +36,21 @@ Animation* ElementAnimation::animate( if (exception_state.HadException()) return nullptr; + // Creation of the keyframe effect parses JavaScript, which could result + // in destruction of the execution context. Recheck that it is still valid. + if (!element.GetExecutionContext()) + return nullptr; + Timing timing = TimingInput::Convert(options, &element.GetDocument(), exception_state); if (exception_state.HadException()) return nullptr; Animation* animation = animateInternal(element, effect, timing); + + if (!animation) + return nullptr; + if (options.IsKeyframeAnimationOptions()) animation->setId(options.GetAsKeyframeAnimationOptions().id()); return animation; @@ -56,6 +65,10 @@ Animation* ElementAnimation::animate(ScriptState* script_state, script_state, exception_state); if (exception_state.HadException()) return nullptr; + + if (!element.GetExecutionContext()) + return nullptr; + return animateInternal(element, effect, Timing()); } |