From ae89c0c16bfc7de4b999f82159ed9aa8f814fb81 Mon Sep 17 00:00:00 2001
From: Kramer Ge <fangzhoug@chromium.org>
Date: Mon, 14 Mar 2022 00:07:44 +0000
Subject: [Backport] CVE-2022-1487: Use after free in Ozone

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3517354:
WaylandWindow's parent_window use-after-free

To insure the child_window access after parent's destruct doesn't have
UAF, clear the parent_window of the child in dtor.

Change-Id: I18ea65a76e715e98747588fbe75e1a37cbbe199c
Bug: 1304368
Reviewed-by: Maksim Sisov <msisov@igalia.com>
Commit-Queue: Kramer Ge <fangzhoug@chromium.org>
Cr-Commit-Position: refs/heads/main@{#980391}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/ui/ozone/platform/wayland/host/wayland_window.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/chromium/ui/ozone/platform/wayland/host/wayland_window.cc b/chromium/ui/ozone/platform/wayland/host/wayland_window.cc
index edc21c70b89..0b06d4bd93a 100644
--- a/chromium/ui/ozone/platform/wayland/host/wayland_window.cc
+++ b/chromium/ui/ozone/platform/wayland/host/wayland_window.cc
@@ -78,6 +78,9 @@ WaylandWindow::~WaylandWindow() {
 
   if (parent_window_)
     parent_window_->set_child_window(nullptr);
+
+  if (child_window_)
+    child_window_->set_parent_window(nullptr);
 }
 
 void WaylandWindow::OnWindowLostCapture() {
-- 
cgit v1.2.1