diff options
| author | Igor Bukanov <igor@vivaldi.com> | 2020-02-25 17:38:25 +0000 |
|---|---|---|
| committer | Michal Klocek <michal.klocek@qt.io> | 2020-04-22 18:13:41 +0000 |
| commit | 904d83d41b4d21855c0178430e8f6bf6caf2ee82 (patch) | |
| tree | 66b0f833e08448321fa7c2ebe32243edc4513cf1 | |
| parent | 8a691f3194766ae57fe2626a05b4a007201e8583 (diff) | |
| download | qtwebengine-chromium-904d83d41b4d21855c0178430e8f6bf6caf2ee82.tar.gz | |
[Backport] CVE-2020-6436
EndDrag should use weak_ptr for its arg
As WebContentsViewAura::EndDrag can be arbitrary delayed waiting for the
renderer process to perform asynchronous targetting, it should use a
weak pointer for the RenderWidgetHostImpl argument.
Bug: 1034519
Change-Id: I8c5a54b0ae4f159974803ab53464d22c812579b6
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/content/browser/web_contents/web_contents_view_aura.cc | 12 | ||||
| -rw-r--r-- | chromium/content/browser/web_contents/web_contents_view_aura.h | 3 |
2 files changed, 10 insertions, 5 deletions
diff --git a/chromium/content/browser/web_contents/web_contents_view_aura.cc b/chromium/content/browser/web_contents/web_contents_view_aura.cc index 75972bb7f6c..e0f64689e25 100644 --- a/chromium/content/browser/web_contents/web_contents_view_aura.cc +++ b/chromium/content/browser/web_contents/web_contents_view_aura.cc @@ -726,8 +726,9 @@ void WebContentsViewAura::SizeChangedCommon(const gfx::Size& size) { rwhv->SetSize(size); } -void WebContentsViewAura::EndDrag(RenderWidgetHost* source_rwh, - blink::WebDragOperationsMask ops) { +void WebContentsViewAura::EndDrag( + base::WeakPtr<RenderWidgetHostImpl> source_rwh_weak_ptr, + blink::WebDragOperationsMask ops) { drag_start_process_id_ = ChildProcessHost::kInvalidUniqueID; drag_start_view_id_ = GlobalRoutingID(ChildProcessHost::kInvalidUniqueID, MSG_ROUTING_NONE); @@ -735,6 +736,9 @@ void WebContentsViewAura::EndDrag(RenderWidgetHost* source_rwh, if (!web_contents_) return; + // It is OK for source_rwh to be null. + RenderWidgetHost* source_rwh = source_rwh_weak_ptr.get(); + aura::Window* window = GetContentNativeView(); gfx::PointF screen_loc = gfx::PointF(display::Screen::GetScreen()->GetCursorScreenPoint()); @@ -1114,11 +1118,11 @@ void WebContentsViewAura::StartDragging( // callback yet. So we have to make sure to delay calling EndDrag until drop // is done. if (!drag_in_progress_) - EndDrag(source_rwh_weak_ptr.get(), ConvertToWeb(result_op)); + EndDrag(std::move(source_rwh_weak_ptr), ConvertToWeb(result_op)); else end_drag_runner_ = base::ScopedClosureRunner(base::BindOnce( &WebContentsViewAura::EndDrag, weak_ptr_factory_.GetWeakPtr(), - source_rwh_weak_ptr.get(), ConvertToWeb(result_op))); + std::move(source_rwh_weak_ptr), ConvertToWeb(result_op))); } void WebContentsViewAura::UpdateDragCursor(blink::WebDragOperation operation) { diff --git a/chromium/content/browser/web_contents/web_contents_view_aura.h b/chromium/content/browser/web_contents/web_contents_view_aura.h index acdba5fb4de..1a98d14b03e 100644 --- a/chromium/content/browser/web_contents/web_contents_view_aura.h +++ b/chromium/content/browser/web_contents/web_contents_view_aura.h @@ -108,7 +108,8 @@ class CONTENT_EXPORT WebContentsViewAura void SizeChangedCommon(const gfx::Size& size); - void EndDrag(RenderWidgetHost* source_rwh, blink::WebDragOperationsMask ops); + void EndDrag(base::WeakPtr<RenderWidgetHostImpl> source_rwh_weak_ptr, + blink::WebDragOperationsMask ops); void InstallOverscrollControllerDelegate(RenderWidgetHostViewAura* view); |