diff options
author | Andrew Xu <andrewxu@chromium.org> | 2022-05-27 20:03:41 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-08 15:24:40 +0000 |
commit | 916ffc811be5c59186abe7550e3b3959ec186985 (patch) | |
tree | 9b0d6a9e6d02202970bea19b6fab00bf63207f48 | |
parent | cd5579cf75189d03f6acb7dcbcdd13766dfe1259 (diff) | |
download | qtwebengine-chromium-916ffc811be5c59186abe7550e3b3959ec186985.tar.gz |
[Backport] CVE-2022-2613: Use after free in Input
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3648376:
Handle notifications sent by gesture provider during destruction
This CL clears `GestureRecognizerImpl::consumer_gesture_provider_`
explicitly so that the notifications from gesture provider during
destruction are handled by `GestureRecognizerImpl` properly.
Bug: 1325256
Change-Id: Iba3b645fc2ad18331947e5556015567a1e8eb513
Commit-Queue: Andrew Xu <andrewxu@chromium.org>
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1008393}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/ui/events/gestures/gesture_recognizer_impl.cc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/chromium/ui/events/gestures/gesture_recognizer_impl.cc b/chromium/ui/events/gestures/gesture_recognizer_impl.cc index 0420783a582..07440560c96 100644 --- a/chromium/ui/events/gestures/gesture_recognizer_impl.cc +++ b/chromium/ui/events/gestures/gesture_recognizer_impl.cc @@ -62,7 +62,13 @@ bool RemoveValueFromMap(std::map<Key, T>* map, const Value& value) { GestureRecognizerImpl::GestureRecognizerImpl() = default; -GestureRecognizerImpl::~GestureRecognizerImpl() = default; +GestureRecognizerImpl::~GestureRecognizerImpl() { + // The gesture recognizer impl observes the gesture providers that are owned + // by `consumer_gesture_provider_`. Clear `consumer_gesture_provider_` + // explicitly so that the notifications sent by gesture providers during + // destruction are handled properly. + consumer_gesture_provider_.clear(); +} // Checks if this finger is already down, if so, returns the current target. // Otherwise, returns NULL. |