diff options
author | Kevin McNee <mcnee@chromium.org> | 2022-07-20 09:53:43 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-01 16:03:04 +0000 |
commit | 51f8868a8cf034df7dc8f2d72924b7197418b0c2 (patch) | |
tree | ca8045329179b3fef163fd6386deade81cb16c5b | |
parent | 1a88dca8fec1556326df28c241e4bbf080311194 (diff) | |
download | qtwebengine-chromium-51f8868a8cf034df7dc8f2d72924b7197418b0c2.tar.gz |
[Backport] CVE-2022-2477 : Use after free in Guest View
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3726008:
Use weak ptr for webview JavaScriptDialogHelper callback
M96 merge issues:
javascript_dialog_helper.h:
Conflicting types for web_view_guest_
This can be called asynchronously, potentially after the associated
WebViewGuest is destroyed.
(cherry picked from commit 1c09b9292dba7dfdc28b9bd09c61e3a0faf7b302)
Bug: 1336266
Change-Id: I8a4ec5ab124a9d5ca2ad45b1915666c8b7c98f79
Auto-Submit: Kevin McNee <mcnee@chromium.org>
Commit-Queue: James Maclean <wjmaclean@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1015960}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1665}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.cc | 2 | ||||
-rw-r--r-- | chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.h | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.cc b/chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.cc index 2e9c330e678..12f7b4b4406 100644 --- a/chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.cc +++ b/chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.cc @@ -66,7 +66,7 @@ void JavaScriptDialogHelper::RunJavaScriptDialog( web_view_permission_helper->RequestPermission( WEB_VIEW_PERMISSION_TYPE_JAVASCRIPT_DIALOG, request_info, base::BindOnce(&JavaScriptDialogHelper::OnPermissionResponse, - base::Unretained(this), std::move(callback)), + weak_factory_.GetWeakPtr(), std::move(callback)), false /* allowed_by_default */); } diff --git a/chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.h b/chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.h index ae759a14c18..125977727f4 100644 --- a/chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.h +++ b/chromium/extensions/browser/guest_view/web_view/javascript_dialog_helper.h @@ -6,6 +6,7 @@ #define EXTENSIONS_BROWSER_GUEST_VIEW_WEB_VIEW_JAVASCRIPT_DIALOG_HELPER_H_ #include "base/macros.h" +#include "base/memory/weak_ptr.h" #include "content/public/browser/javascript_dialog_manager.h" namespace extensions { @@ -43,6 +44,8 @@ class JavaScriptDialogHelper : public content::JavaScriptDialogManager { // Pointer to the webview that is being helped. WebViewGuest* const web_view_guest_; + base::WeakPtrFactory<JavaScriptDialogHelper> weak_factory_{this}; + DISALLOW_COPY_AND_ASSIGN(JavaScriptDialogHelper); }; |