diff options
| author | Balazs Engedy <engedy@chromium.org> | 2021-03-31 07:47:19 +0000 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-05-12 12:45:15 +0200 |
| commit | 07af1bb4559d63ffe80a15603622dc2b75792da7 (patch) | |
| tree | 4084ca537f1d9651872156546938602eb281663e /chromium/content/browser/permissions/permission_controller_impl.cc | |
| parent | 7b8cc71693eb46cd9736ecd7def065376d009faf (diff) | |
| download | qtwebengine-chromium-07af1bb4559d63ffe80a15603622dc2b75792da7.tar.gz | |
[Backport] CVE-2021-21201: Use after free in permissions
Partial backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2791431:
Use IDType for permission change subscriptions.
Bug: 1025683
Change-Id: I3b44ba7833138e8a657a4192e1a36c978695db32
Reviewed-by: Richard Coles <torne@chromium.org>
Reviewed-by: Yuchen Liu <yucliu@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Fabrice de Gans-Riberi <fdegans@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Illia Klimov <elklm@google.com>
Auto-Submit: Balazs Engedy <engedy@chromium.org>
Commit-Queue: Balazs Engedy <engedy@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/content/browser/permissions/permission_controller_impl.cc')
| -rw-r--r-- | chromium/content/browser/permissions/permission_controller_impl.cc | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/chromium/content/browser/permissions/permission_controller_impl.cc b/chromium/content/browser/permissions/permission_controller_impl.cc index ddd6656e035..3a6e38178c1 100644 --- a/chromium/content/browser/permissions/permission_controller_impl.cc +++ b/chromium/content/browser/permissions/permission_controller_impl.cc @@ -133,7 +133,8 @@ struct PermissionControllerImpl::Subscription { int render_frame_id = -1; int render_process_id = -1; base::RepeatingCallback<void(blink::mojom::PermissionStatus)> callback; - int delegate_subscription_id; + // This is default-initialized to an invalid ID. + PermissionControllerDelegate::SubscriptionId delegate_subscription_id; }; PermissionControllerImpl::~PermissionControllerImpl() { @@ -389,7 +390,8 @@ void PermissionControllerImpl::OnDelegatePermissionStatusChange( subscription->callback.Run(status); } -int PermissionControllerImpl::SubscribePermissionStatusChange( +PermissionControllerImpl::SubscriptionId +PermissionControllerImpl::SubscribePermissionStatusChange( PermissionType permission, RenderFrameHost* render_frame_host, const GURL& requesting_origin, @@ -423,22 +425,22 @@ int PermissionControllerImpl::SubscribePermissionStatusChange( base::BindRepeating( &PermissionControllerImpl::OnDelegatePermissionStatusChange, base::Unretained(this), subscription.get())); - } else { - subscription->delegate_subscription_id = kNoPendingOperation; } - return subscriptions_.Add(std::move(subscription)); + + auto id = subscription_id_generator_.GenerateNextId(); + subscriptions_.AddWithID(std::move(subscription), id); + return id; } void PermissionControllerImpl::UnsubscribePermissionStatusChange( - int subscription_id) { + SubscriptionId subscription_id) { Subscription* subscription = subscriptions_.Lookup(subscription_id); if (!subscription) return; PermissionControllerDelegate* delegate = browser_context_->GetPermissionControllerDelegate(); - if (delegate && - subscription->delegate_subscription_id != kNoPendingOperation) { - delegate->UnsubscribePermissionStatusChange( + if (delegate) { + delegate->UnsubscribePermissionStatusChange( subscription->delegate_subscription_id); } subscriptions_.Remove(subscription_id); |