From ff42b8087b4831b4893ff9ed4853acd8bcbd83ec Mon Sep 17 00:00:00 2001 From: Michal Klocek Date: Fri, 13 Jan 2023 16:00:48 +0100 Subject: Fix use after free in permission grant MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The permission grant can become dangling pointer in origin state struct, fix it. Change-Id: If16b604a8c3c05d09ea923251dabcae73192dd7d Reviewed-by: Allan Sandfeld Jensen (cherry picked from commit 16d3701b1dd4887cc4affb0447ee3b9b7729e7fb) Reviewed-by: Michael BrĂ¼ning --- .../file_system_access_permission_context_qt.cpp | 18 ++++++++++++++++++ .../file_system_access_permission_context_qt.h | 4 +++- .../file_system_access_permission_grant_qt.cpp | 6 +++++- .../file_system_access_permission_grant_qt.h | 3 +++ 4 files changed, 29 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/core/file_system_access/file_system_access_permission_context_qt.cpp b/src/core/file_system_access/file_system_access_permission_context_qt.cpp index bc88f7898..2fd710ad6 100644 --- a/src/core/file_system_access/file_system_access_permission_context_qt.cpp +++ b/src/core/file_system_access/file_system_access_permission_context_qt.cpp @@ -453,4 +453,22 @@ std::u16string FileSystemAccessPermissionContextQt::GetPickerTitle(const blink:: return {}; } +void FileSystemAccessPermissionContextQt::PermissionGrantDestroyed( + FileSystemAccessPermissionGrantQt *grant) +{ + auto it = m_origins.find(grant->origin()); + if (it == m_origins.end()) + return; + + auto &grants = + grant->type() == GrantType::kRead ? it->second.read_grants : it->second.write_grants; + auto grant_it = grants.find(grant->path()); + + if (grant_it == grants.end()) { + return; + } + if (grant_it->second == grant) + grants.erase(grant_it); +} + } // namespace QtWebEngineCore diff --git a/src/core/file_system_access/file_system_access_permission_context_qt.h b/src/core/file_system_access/file_system_access_permission_context_qt.h index 29fefee24..09e890038 100644 --- a/src/core/file_system_access/file_system_access_permission_context_qt.h +++ b/src/core/file_system_access/file_system_access_permission_context_qt.h @@ -19,7 +19,7 @@ class BrowserContext; } namespace QtWebEngineCore { - +class FileSystemAccessPermissionGrantQt; class FileSystemAccessPermissionContextQt : public content::FileSystemAccessPermissionContext, public KeyedService { @@ -56,6 +56,8 @@ public: void NavigatedAwayFromOrigin(const url::Origin &origin); content::BrowserContext *profile() const { return m_profile; } + void PermissionGrantDestroyed(FileSystemAccessPermissionGrantQt *); + private: class PermissionGrantImpl; diff --git a/src/core/file_system_access/file_system_access_permission_grant_qt.cpp b/src/core/file_system_access/file_system_access_permission_grant_qt.cpp index 8999bf850..67fa1c8cf 100644 --- a/src/core/file_system_access/file_system_access_permission_grant_qt.cpp +++ b/src/core/file_system_access/file_system_access_permission_grant_qt.cpp @@ -22,7 +22,11 @@ FileSystemAccessPermissionGrantQt::FileSystemAccessPermissionGrantQt( : m_context(context), m_origin(origin), m_path(path), m_handleType(handle_type), m_type(type) { } - +FileSystemAccessPermissionGrantQt::~FileSystemAccessPermissionGrantQt() +{ + if (m_context) + m_context->PermissionGrantDestroyed(this); +} void FileSystemAccessPermissionGrantQt::RequestPermission( content::GlobalRenderFrameHostId frame_id, UserActivationState user_activation_state, base::OnceCallback callback) diff --git a/src/core/file_system_access/file_system_access_permission_grant_qt.h b/src/core/file_system_access/file_system_access_permission_grant_qt.h index 1984b8f2c..829d2b889 100644 --- a/src/core/file_system_access/file_system_access_permission_grant_qt.h +++ b/src/core/file_system_access/file_system_access_permission_grant_qt.h @@ -36,6 +36,9 @@ public: void SetStatus(blink::mojom::PermissionStatus status); +protected: + ~FileSystemAccessPermissionGrantQt() override; + private: void OnPermissionRequestResult(base::OnceCallback callback, permissions::PermissionAction result); -- cgit v1.2.1