From e9e9b18fa2b57edb586b5d14c2cffdf5d5066cdd Mon Sep 17 00:00:00 2001
From: Joey Arhar <jarhar@chromium.org>
Date: Tue, 26 Jul 2022 19:42:57 +0000
Subject: [Backport] CVE-2022-2857: Use after free in Blink

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3751710:
Don't re-lock DisplayLocks during forced unlock

When a DisplayLock is unlocked via ForceUnlockIfNeeded, subsequent
updates to the DisplayLock can cause it to become locked again which is
problematic.

This patch prevents the DisplayLock from being locked again until the
next frame.

Fixed: 1338135
Change-Id: I07790658e25ea9fe2f4e8de154e3a58e7e08892b
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Reviewed-by: Vladimir Levin <vmpstr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1028405}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../blink/renderer/core/display_lock/display_lock_context.cc           | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/chromium/third_party/blink/renderer/core/display_lock/display_lock_context.cc b/chromium/third_party/blink/renderer/core/display_lock/display_lock_context.cc
index a6207c2a5b3..686aa701731 100644
--- a/chromium/third_party/blink/renderer/core/display_lock/display_lock_context.cc
+++ b/chromium/third_party/blink/renderer/core/display_lock/display_lock_context.cc
@@ -1026,6 +1026,9 @@ bool DisplayLockContext::ForceUnlockIfNeeded() {
               layout_invalidation_reason::kDisplayLock);
         }
       }
+      // If we forced unlock, then we need to prevent subsequent calls to
+      // Lock() until the next frame.
+      SetRequestedState(EContentVisibility::kVisible);
     }
     return true;
   }
-- 
cgit v1.2.1