Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: cherry-pick 65f0ef609c00 from chromium (#36079)
* chore: [20-x-y] cherry-pick 65f0ef609c00 from chromium * chore: update patches Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: electron-patch-conflict-fixer[bot] <83340002+electron-patch-conflict-fixer[bot]@users.noreply.github.com>
- Loading branch information
3 people
committed
Oct 26, 2022
1 parent
7a70765
commit aedfdad
Showing
2 changed files
with
47 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
| From: Andy Paicu <andypaicu@chromium.org> | ||
| Date: Thu, 6 Oct 2022 21:04:23 +0000 | ||
| Subject: Fix UAF issue around permission status observer list | ||
|
|
||
| (cherry picked from commit 4df595127d95d4b0bf115be1ab4604d95b75273c) | ||
|
|
||
| (cherry picked from commit 1dc5dda6112bdd811c923520cc728a474583409e) | ||
|
|
||
| Bug: 1363040 | ||
| Change-Id: I1f64a901b83aa834ae652c8041456e9b7d253c1f | ||
| Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3907744 | ||
| Reviewed-by: Kamila Hasanbega <hkamila@chromium.org> | ||
| Commit-Queue: Andy Paicu <andypaicu@chromium.org> | ||
| Cr-Original-Original-Commit-Position: refs/heads/main@{#1049058} | ||
| Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3929034 | ||
| Reviewed-by: Illia Klimov <elklm@chromium.org> | ||
| Cr-Original-Commit-Position: refs/branch-heads/5304@{#483} | ||
| Cr-Original-Branched-From: 5d7b1fc9cb7103d9c82eed647cf4be38cf09738b-refs/heads/main@{#1047731} | ||
| Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3936291 | ||
| Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> | ||
| Cr-Commit-Position: refs/branch-heads/5249@{#764} | ||
| Cr-Branched-From: 4f7bea5de862aaa52e6bde5920755a9ef9db120b-refs/heads/main@{#1036826} | ||
|
|
||
| diff --git a/third_party/blink/renderer/modules/permissions/permission_status_listener.cc b/third_party/blink/renderer/modules/permissions/permission_status_listener.cc | ||
| index 424314c1dd49bd693643e41adb537f7a9d01e5d2..946e28ac3139a1927ac36281f04cec9f5faf76d2 100644 | ||
| --- a/third_party/blink/renderer/modules/permissions/permission_status_listener.cc | ||
| +++ b/third_party/blink/renderer/modules/permissions/permission_status_listener.cc | ||
| @@ -62,7 +62,17 @@ void PermissionStatusListener::OnPermissionStatusChange( | ||
|
|
||
| status_ = status; | ||
|
|
||
| + // The `observers_` list can change in response to permission status change | ||
| + // events as the observers map to PermissionStatus JS objects which can be | ||
| + // created and destroyed in the JS event handler function. To avoid UAF and | ||
| + // list modification issues, a temporary snapshot of the observers is made and | ||
| + // used instead. | ||
| + HeapHashSet<WeakMember<Observer>> observers; | ||
| for (const auto& observer : observers_) { | ||
| + observers.insert(observer); | ||
| + } | ||
| + | ||
| + for (const auto& observer : observers) { | ||
| if (observer) | ||
| observer->OnPermissionStatusChange(status); | ||
| else |