chore: cherry-pick 51daffbf5cd8 from chromium #35549
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix UAF on network::URLLoader
network::URLLoader::SetUpUpload calls NotifyCompleted asynchronously,
as it can be called in the constructor and we don't want to run
NotifyCompleted in the constructor.
The problem is that it attaches a raw pointer to the method, which leads to a use-after-free problem if the URLLoader is destructed before
NotifyCompleted is called.
Use weak pointers instead of raw pointers to avoid the problem.
Bug: 1340253
Change-Id: Iacb1e772bf7a8e3de4a7bb9de342fea9ba0f3f3c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3740150
Reviewed-by: Kenichi Ishibashi bashi@chromium.org
Commit-Queue: Yutaka Hirano yhirano@chromium.org
Cr-Commit-Position: refs/heads/main@{#1020539}
Ref electron/security#203
Notes: Security: backported fix for CVE-2022-3038.