diff options
| author | Justin Novosad <junov@chromium.org> | 2022-07-15 23:12:50 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-03 10:07:21 +0000 |
| commit | 25e7c21bb373827a7b94d3d3b0f6de4dacf14399 (patch) | |
| tree | f11a84161abfd85297161a7c697a67a0430cf4d1 | |
| parent | 2874d728ffe87d7e6eaad25954ded53fb4ca974a (diff) | |
| download | qtwebengine-chromium-25e7c21bb373827a7b94d3d3b0f6de4dacf14399.tar.gz | |
[Backport] Security bug 1334864
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3752921:
Mitigate bad cast in OffscreenCanvas::GetFontSelector
This change will cause the browser to crash if the execution context
is not a Window or WorkerGlobalScope. This is a temporary solution
to handle the case where the execution context is an
AudioWorkletGlobalScope. The longer term solution, which will be
implemented in a follow-up CL, is to block OffscreenCanvas objects from
being transferred to AudioWorklets, as required by the postMessage spec.
BUG=1334864
(cherry picked from commit 028c11e59fd41bc22eff06dbec10fe9b0e82bd04)
Change-Id: Ief5e37eca6dff14098b12cdbe6fc362c3dd87d1d
Auto-Submit: Justin Novosad <junov@chromium.org>
Reviewed-by: Juanmi Huertas <juanmihd@chromium.org>
Commit-Queue: Juanmi Huertas <juanmihd@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1017357}
Commit-Queue: Srinivas Sista <srinivassista@chromium.org>
Cr-Commit-Position: refs/branch-heads/5005@{#1254}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.cc | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.cc b/chromium/third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.cc index 1c180dc1186..ac85ed70eb7 100644 --- a/chromium/third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.cc +++ b/chromium/third_party/blink/renderer/core/offscreencanvas/offscreen_canvas.cc @@ -554,6 +554,9 @@ FontSelector* OffscreenCanvas::GetFontSelector() { if (auto* window = DynamicTo<LocalDOMWindow>(GetExecutionContext())) { return window->document()->GetStyleEngine().GetFontSelector(); } + // TODO(crbug.com/1334864): Temporary mitigation. Remove the following + // CHECK once a more comprehensive solution has been implemented. + CHECK(GetExecutionContext()->IsWorkerGlobalScope()); return To<WorkerGlobalScope>(GetExecutionContext())->GetFontSelector(); } |