diff options
author | Aaron Leventhal <aleventhal@google.com> | 2020-04-02 17:14:57 +0000 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2020-04-24 14:32:47 +0000 |
commit | 798537f6ebbcfaf459b47724539daf795368a40e (patch) | |
tree | aba48cba10726554952602d2bdb6bcc0e850c1d4 | |
parent | f3fbe32fb256da3d0a8f92e61ebdca639d417e23 (diff) | |
download | qtwebengine-chromium-798537f6ebbcfaf459b47724539daf795368a40e.tar.gz |
[Backport] Security bug 1025740 2/2
Lifecycle change safety check
Lifecycle changes should not occur during a11y serialization.
This adds a safety check that triggers a DCHECK when that occurs.
Bug: 1025740
Change-Id: I858b7e437eeb97e3d0284192bda39128c16b6b7e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
6 files changed, 85 insertions, 0 deletions
diff --git a/chromium/content/renderer/accessibility/blink_ax_tree_source.cc b/chromium/content/renderer/accessibility/blink_ax_tree_source.cc index ed974c80302..094773f193f 100644 --- a/chromium/content/renderer/accessibility/blink_ax_tree_source.cc +++ b/chromium/content/renderer/accessibility/blink_ax_tree_source.cc @@ -31,6 +31,7 @@ #include "third_party/blink/public/platform/web_vector.h" #include "third_party/blink/public/web/web_ax_enums.h" #include "third_party/blink/public/web/web_ax_object.h" +#include "third_party/blink/public/web/web_disallow_transition_scope.h" #include "third_party/blink/public/web/web_document.h" #include "third_party/blink/public/web/web_element.h" #include "third_party/blink/public/web/web_form_control_element.h" @@ -548,6 +549,13 @@ WebAXObject BlinkAXTreeSource::GetNull() const { void BlinkAXTreeSource::SerializeNode(WebAXObject src, AXContentNodeData* dst) const { +#if DCHECK_IS_ON() + // Never causes a document lifecycle change during serialization, + // because the assumption is that layout is in a safe, stable state. + WebDocument document = GetMainDocument(); + blink::WebDisallowTransitionScope disallow(&document); +#endif + dst->role = src.Role(); AXStateFromBlink(src, dst); dst->id = src.AxID(); diff --git a/chromium/third_party/blink/public/BUILD.gn b/chromium/third_party/blink/public/BUILD.gn index 9afd94a0762..2a0799012bb 100644 --- a/chromium/third_party/blink/public/BUILD.gn +++ b/chromium/third_party/blink/public/BUILD.gn @@ -3,6 +3,7 @@ # found in the LICENSE file. import("//build/buildflag_header.gni") +import("//build/config/dcheck_always_on.gni") import("//mojo/public/tools/bindings/mojom.gni") import("//third_party/blink/public/public_features.gni") import("//third_party/blink/renderer/config.gni") @@ -443,6 +444,10 @@ source_set("blink_headers") { "web/win/web_font_rendering.h", ] + if (is_debug || dcheck_always_on) { + sources += [ "web/web_disallow_transition_scope.h" ] + } + public_configs = [ ":blink_headers_config", diff --git a/chromium/third_party/blink/public/web/web_disallow_transition_scope.h b/chromium/third_party/blink/public/web/web_disallow_transition_scope.h new file mode 100644 index 00000000000..f66515a6f58 --- /dev/null +++ b/chromium/third_party/blink/public/web/web_disallow_transition_scope.h @@ -0,0 +1,33 @@ +// Copyright 2020 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef THIRD_PARTY_BLINK_PUBLIC_WEB_WEB_DISALLOW_TRANSITION_SCOPE_H_ +#define THIRD_PARTY_BLINK_PUBLIC_WEB_WEB_DISALLOW_TRANSITION_SCOPE_H_ + +#include <memory> + +#include "third_party/blink/public/platform/web_common.h" +#include "third_party/blink/public/web/web_document.h" + +namespace blink { + +class DocumentLifecycle; + +class WebDisallowTransitionScope { + // Causes DCHECKs only, does not actually prevent lifecycle changes. + // This is useful to prevent certain types of crashes that occur, for example, + // when updating properties in the accessible object hierarchy. + public: + BLINK_EXPORT explicit WebDisallowTransitionScope(WebDocument* web_document); + BLINK_EXPORT virtual ~WebDisallowTransitionScope(); + + private: + DocumentLifecycle& Lifecycle(WebDocument*) const; + + DocumentLifecycle& document_lifecycle_; +}; + +} // namespace blink + +#endif // THIRD_PARTY_BLINK_PUBLIC_WEB_WEB_DISALLOW_TRANSITION_SCOPE_H_ diff --git a/chromium/third_party/blink/renderer/core/BUILD.gn b/chromium/third_party/blink/renderer/core/BUILD.gn index 1c2e3e6e287..4d6865ed531 100644 --- a/chromium/third_party/blink/renderer/core/BUILD.gn +++ b/chromium/third_party/blink/renderer/core/BUILD.gn @@ -1594,6 +1594,10 @@ jumbo_source_set("unit_tests") { "xml/xpath_functions_test.cc", ] + if (is_debug || dcheck_always_on) { + sources += [ "exported/web_disallow_transition_scope_test.cc" ] + } + configs += [ ":blink_core_pch", "//third_party/blink/renderer:config", diff --git a/chromium/third_party/blink/renderer/core/exported/BUILD.gn b/chromium/third_party/blink/renderer/core/exported/BUILD.gn index 069f2e17000..2d8b1a89e44 100644 --- a/chromium/third_party/blink/renderer/core/exported/BUILD.gn +++ b/chromium/third_party/blink/renderer/core/exported/BUILD.gn @@ -1,6 +1,7 @@ # Copyright 2017 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +import("//build/config/dcheck_always_on.gni") import("//third_party/blink/renderer/core/core.gni") blink_core_sources("exported") { @@ -81,5 +82,10 @@ blink_core_sources("exported") { "web_view_impl.h", ] + if (is_debug || dcheck_always_on) { + sources += [ "web_disallow_transition_scope.cc" ] + } + + defines = [ "BLINK_IMPLEMENTATION=1" ] } diff --git a/chromium/third_party/blink/renderer/core/exported/web_disallow_transition_scope.cc b/chromium/third_party/blink/renderer/core/exported/web_disallow_transition_scope.cc new file mode 100644 index 00000000000..e94290cbdb5 --- /dev/null +++ b/chromium/third_party/blink/renderer/core/exported/web_disallow_transition_scope.cc @@ -0,0 +1,29 @@ +// Copyright 2020 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "third_party/blink/public/web/web_disallow_transition_scope.h" + +#include "third_party/blink/public/web/web_document.h" +#include "third_party/blink/renderer/core/dom/document.h" +#include "third_party/blink/renderer/core/dom/document_lifecycle.h" + +namespace blink { + +WebDisallowTransitionScope::WebDisallowTransitionScope( + WebDocument* web_document) + : document_lifecycle_(Lifecycle(web_document)) { + document_lifecycle_.IncrementNoTransitionCount(); +} + +WebDisallowTransitionScope::~WebDisallowTransitionScope() { + document_lifecycle_.DecrementNoTransitionCount(); +} + +DocumentLifecycle& WebDisallowTransitionScope::Lifecycle( + WebDocument* web_document) const { + Document* document = *web_document; + return document->Lifecycle(); +} + +} // namespace blink |