diff options
author | Michal Klocek <michal.klocek@qt.io> | 2023-01-13 16:00:48 +0100 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2023-02-27 13:55:08 +0100 |
commit | 16d3701b1dd4887cc4affb0447ee3b9b7729e7fb (patch) | |
tree | da773d83c592c164faaf05a8c942a43b880fc7be /src | |
parent | 52728ddf8840c1e786da6fc8d8a8918834d79a32 (diff) | |
download | qtwebengine-16d3701b1dd4887cc4affb0447ee3b9b7729e7fb.tar.gz |
Fix use after free in permission grant
The permission grant can become dangling pointer in
origin state struct, fix it.
Pick-to: 6.5 6.4
Change-Id: If16b604a8c3c05d09ea923251dabcae73192dd7d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'src')
4 files changed, 29 insertions, 2 deletions
diff --git a/src/core/file_system_access/file_system_access_permission_context_qt.cpp b/src/core/file_system_access/file_system_access_permission_context_qt.cpp index bc88f7898..2fd710ad6 100644 --- a/src/core/file_system_access/file_system_access_permission_context_qt.cpp +++ b/src/core/file_system_access/file_system_access_permission_context_qt.cpp @@ -453,4 +453,22 @@ std::u16string FileSystemAccessPermissionContextQt::GetPickerTitle(const blink:: return {}; } +void FileSystemAccessPermissionContextQt::PermissionGrantDestroyed( + FileSystemAccessPermissionGrantQt *grant) +{ + auto it = m_origins.find(grant->origin()); + if (it == m_origins.end()) + return; + + auto &grants = + grant->type() == GrantType::kRead ? it->second.read_grants : it->second.write_grants; + auto grant_it = grants.find(grant->path()); + + if (grant_it == grants.end()) { + return; + } + if (grant_it->second == grant) + grants.erase(grant_it); +} + } // namespace QtWebEngineCore diff --git a/src/core/file_system_access/file_system_access_permission_context_qt.h b/src/core/file_system_access/file_system_access_permission_context_qt.h index 29fefee24..09e890038 100644 --- a/src/core/file_system_access/file_system_access_permission_context_qt.h +++ b/src/core/file_system_access/file_system_access_permission_context_qt.h @@ -19,7 +19,7 @@ class BrowserContext; } namespace QtWebEngineCore { - +class FileSystemAccessPermissionGrantQt; class FileSystemAccessPermissionContextQt : public content::FileSystemAccessPermissionContext, public KeyedService { @@ -56,6 +56,8 @@ public: void NavigatedAwayFromOrigin(const url::Origin &origin); content::BrowserContext *profile() const { return m_profile; } + void PermissionGrantDestroyed(FileSystemAccessPermissionGrantQt *); + private: class PermissionGrantImpl; diff --git a/src/core/file_system_access/file_system_access_permission_grant_qt.cpp b/src/core/file_system_access/file_system_access_permission_grant_qt.cpp index 8999bf850..67fa1c8cf 100644 --- a/src/core/file_system_access/file_system_access_permission_grant_qt.cpp +++ b/src/core/file_system_access/file_system_access_permission_grant_qt.cpp @@ -22,7 +22,11 @@ FileSystemAccessPermissionGrantQt::FileSystemAccessPermissionGrantQt( : m_context(context), m_origin(origin), m_path(path), m_handleType(handle_type), m_type(type) { } - +FileSystemAccessPermissionGrantQt::~FileSystemAccessPermissionGrantQt() +{ + if (m_context) + m_context->PermissionGrantDestroyed(this); +} void FileSystemAccessPermissionGrantQt::RequestPermission( content::GlobalRenderFrameHostId frame_id, UserActivationState user_activation_state, base::OnceCallback<void(PermissionRequestOutcome)> callback) diff --git a/src/core/file_system_access/file_system_access_permission_grant_qt.h b/src/core/file_system_access/file_system_access_permission_grant_qt.h index 1984b8f2c..829d2b889 100644 --- a/src/core/file_system_access/file_system_access_permission_grant_qt.h +++ b/src/core/file_system_access/file_system_access_permission_grant_qt.h @@ -36,6 +36,9 @@ public: void SetStatus(blink::mojom::PermissionStatus status); +protected: + ~FileSystemAccessPermissionGrantQt() override; + private: void OnPermissionRequestResult(base::OnceCallback<void(PermissionRequestOutcome)> callback, permissions::PermissionAction result); |