diff options
author | Justin Novosad <junov@chromium.org> | 2021-11-11 22:24:28 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-02-18 01:18:54 +0000 |
commit | 80a9238f372f81cb73bb97a9e59f243e13ad8588 (patch) | |
tree | 45ef128d4062c26f1197b9787fabf45d878de86a | |
parent | 3e5e3920a8f7c720cb15eed2d7febae53009f074 (diff) | |
download | qtwebengine-chromium-80a9238f372f81cb73bb97a9e59f243e13ad8588.tar.gz |
[Backport] Security bug 1268448
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3276832:
Fix dangerous lambda capture in BaseRenderingContext2D
We had a lambda that was capturing a local variable by address in a
context where it is possible for the lambda to be executed
asynchronously. This could cause memory to be read after being popped
off the stack.
This is a quick bandaid solution. The more permanent solution is to
refactor the code to use a pattern that avoids injecting capturing
lambdas into WTF::Bind Callbacks that are executed asynchronously.
BUG=1268448
Change-Id: I1b08392847e13f4039ec34eee6a66239096b1bf1
Commit-Queue: Justin Novosad <junov@chromium.org>
Commit-Queue: Aaron Krajeski <aaronhk@chromium.org>
Auto-Submit: Justin Novosad <junov@chromium.org>
Reviewed-by: Aaron Krajeski <aaronhk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#940945}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc b/chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc index 98b485c0911..9d47aed5b3a 100644 --- a/chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc +++ b/chromium/third_party/blink/renderer/modules/canvas/canvas2d/base_rendering_context_2d.cc @@ -1514,7 +1514,7 @@ void BaseRenderingContext2D::drawImage(ScriptState* script_state, DrawImageInternal(c, image_source, image.get(), src_rect, dst_rect, sampling, flags); }, - [this, &dst_rect](const SkIRect& clip_bounds) // overdraw test lambda + [this, dst_rect](const SkIRect& clip_bounds) // overdraw test lambda { return RectContainsTransformedRect(dst_rect, clip_bounds); }, dst_rect, CanvasRenderingContext2DState::kImagePaintType, image_source->IsOpaque() |