diff options
| author | Greg Daniel <egdaniel@google.com> | 2022-10-05 15:28:56 -0400 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-11-15 11:34:12 +0000 |
| commit | 3fee1f10c075c78ea88386386158961600643532 (patch) | |
| tree | b72e0e301f5c8473cc5299ee3e1779c317e4a7b3 | |
| parent | dee7de2a5e42abc2ebf79e8a5a6780f6642aec51 (diff) | |
| download | qtwebengine-chromium-3fee1f10c075c78ea88386386158961600643532.tar.gz | |
[Backport] CVE-2022-3445: Use after free in Skia.
Manual partial cherry-pick of patch originally reviewed on
https://skia-review.googlesource.com/c/skia/+/587879:
Fix GrDirectContext::fClinetMappedBuffer access in abandoned callbacks.
Bug: chromium:1364604
Change-Id: I1ca44cab1c762e7f94ac94be94991ec94a7497be
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/583963
Commit-Queue: Greg Daniel <egdaniel@google.com>
Reviewed-by: Brian Salomon <bsalomon@google.com>
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/587879
Auto-Submit: Greg Daniel <egdaniel@google.com>
Commit-Queue: Brian Salomon <bsalomon@google.com>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/440031
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/skia/src/gpu/GrContext.cpp | 2 | ||||
| -rw-r--r-- | chromium/third_party/skia/src/gpu/GrFinishCallbacks.cpp | 11 |
2 files changed, 9 insertions, 4 deletions
diff --git a/chromium/third_party/skia/src/gpu/GrContext.cpp b/chromium/third_party/skia/src/gpu/GrContext.cpp index 96edd6fba28..e0a599f341e 100644 --- a/chromium/third_party/skia/src/gpu/GrContext.cpp +++ b/chromium/third_party/skia/src/gpu/GrContext.cpp @@ -129,8 +129,6 @@ void GrContext::abandonContext() { fResourceCache->abandonAll(); fGpu->disconnect(GrGpu::DisconnectType::kAbandon); - - fMappedBufferManager.reset(); } void GrContext::releaseResourcesAndAbandonContext() { diff --git a/chromium/third_party/skia/src/gpu/GrFinishCallbacks.cpp b/chromium/third_party/skia/src/gpu/GrFinishCallbacks.cpp index 4c0abf9d3ba..bc337a2c469 100644 --- a/chromium/third_party/skia/src/gpu/GrFinishCallbacks.cpp +++ b/chromium/third_party/skia/src/gpu/GrFinishCallbacks.cpp @@ -35,10 +35,17 @@ void GrFinishCallbacks::check() { void GrFinishCallbacks::callAll(bool doDelete) { while (!fCallbacks.empty()) { - fCallbacks.front().fCallback(fCallbacks.front().fContext); + // While we are processing a proc we need to make sure to remove it from + // the callback list before calling it. This is because the client could + // trigger a call (e.g. calling flushAndSubmit(/*sync=*/true)) that has + // us process the finished callbacks. We also must process deleting the + // fence before a client may abandon the context. + auto finishCallback = fCallbacks.front(); if (doDelete) { - fGpu->deleteFence(fCallbacks.front().fFence); + fGpu->deleteFence(finishCallback.fFence); } fCallbacks.pop_front(); + finishCallback.fCallback(finishCallback.fContext); } } + |