delta/qt5/qtwebengine.git - code.qt.io: qt/qtwebengine.git

diff options

author	Jüri Valdmann <juri.valdmann@qt.io>	2018-11-26 14:37:49 +0100
committer	Jüri Valdmann <juri.valdmann@qt.io>	2018-11-27 08:31:44 +0000
commit	bd34017fdd17a1044bd645c68386fda29ab77d0d (patch)
tree	88a1515e204215530f19962919502900875b17a0 /src/core/api/qwebengineurlschemehandler.cpp
parent	44abfea789b8677a741530c44a0cd35e5276ddf3 (diff)
download	qtwebengine-bd34017fdd17a1044bd645c68386fda29ab77d0d.tar.gz

Fix use-after-free in URLRequestCustomJobProxy::reply

The following operations are executing concurrently on the UI & IO threads: 1. UI thread executes QWebEngineUrlRequestJob::reply --> PostTask(IO, URLRequestCustomJobProxy::reply). IO thread executes URLRequestCustomJob::Kill --> PostTask(UI, URLRequestCustomJobProxy::release). 2. UI thread executes URLRequestCustomJobProxy::release, then deletes the QWebEngineUrlRequestJob and the QIODevice. IO thread executes URLRequestCustomJobProxy::reply and tries to use the QIODevice. Depending on scheduling, the IO thread will try to use the QIODevice after it has been deleted on the UI thread. Change-Id: I7a9793a7492a493e1787e7ee6d0058c0d1aa00ac Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> Reviewed-by: Michal Klocek <michal.klocek@qt.io>

Diffstat (limited to 'src/core/api/qwebengineurlschemehandler.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: