mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
chore: cherry-pick 6b9a07d9eb9b from chromium (#25223)
This commit is contained in:
Jeremy Rose
@@ -122,3 +122,4 @@ reconnect_p2p_socket_dispatcher_if_network_service_dies.patch
|
||||
allow_focus_to_move_into_an_editable_combobox_s_listbox.patch
|
||||
cherry-pick-70579363ce7b.patch
|
||||
avoid_loading_dri_via_gbm_when_gpumemorybuffers_are_disabled.patch
|
||||
reland_fix_uaf_in_selecttype.patch
|
||||
|
||||
93
patches/chromium/reland_fix_uaf_in_selecttype.patch
Normal file
93
patches/chromium/reland_fix_uaf_in_selecttype.patch
Normal file
@@ -0,0 +1,93 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Mason Freed <masonfreed@chromium.org>
|
||||
Date: Mon, 20 Jul 2020 19:55:49 +0000
|
||||
Subject: Reland "Fix UAF in SelectType"
|
||||
|
||||
This is a reland of 72158deaf3751325f1983c87829f65441ee32de3
|
||||
|
||||
The only change made here is to add the new test to LeakExpectations,
|
||||
pointing to crbug.com/1103082. Local testing shows that this leak
|
||||
is triggered by the new test, both before and after this patch. And
|
||||
since the patch fixes a UAF security bug, I'd like to land it with the
|
||||
test, and then work on the leak.
|
||||
|
||||
Fixed: 1102408
|
||||
Bug: 1103082
|
||||
|
||||
TBR=masonfreed@chromium.org
|
||||
|
||||
Original change's description:
|
||||
> Fix UAF in SelectType
|
||||
>
|
||||
> This fixes the UAF detected by ClusterFuzz in [1], caused by [2].
|
||||
> The test case added here is a minimized version of the clusterfuzz
|
||||
> case, and I verified that it crashes (ASAN UAF) before this patch
|
||||
> and no longer crashes after.
|
||||
>
|
||||
> [1] https://clusterfuzz.com/testcase-detail/6224868955193344
|
||||
> [2] https://chromium-review.googlesource.com/c/chromium/src/+/1912682
|
||||
>
|
||||
> Fixed: 1102408
|
||||
> Change-Id: Ieb6a9582ff5b9676596048920bbcff881fdc2eb2
|
||||
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2283901
|
||||
> Commit-Queue: Mason Freed <masonfreed@chromium.org>
|
||||
> Auto-Submit: Mason Freed <masonfreed@chromium.org>
|
||||
> Reviewed-by: Kent Tamura <tkent@chromium.org>
|
||||
> Cr-Commit-Position: refs/heads/master@{#785970}
|
||||
|
||||
(cherry picked from commit e1c45006a8e5a97778eeed0010a7f57d86e70ca4)
|
||||
|
||||
Change-Id: I471cb4abc98a7627803de4e434e0453cb729c15f
|
||||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2288372
|
||||
Auto-Submit: Mason Freed <masonfreed@chromium.org>
|
||||
Reviewed-by: Kent Tamura <tkent@chromium.org>
|
||||
Commit-Queue: Mason Freed <masonfreed@chromium.org>
|
||||
Cr-Original-Commit-Position: refs/heads/master@{#786562}
|
||||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2307621
|
||||
Reviewed-by: Mason Freed <masonfreed@chromium.org>
|
||||
Cr-Commit-Position: refs/branch-heads/4147@{#902}
|
||||
Cr-Branched-From: 16307825352720ae04d898f37efa5449ad68b606-refs/heads/master@{#768962}
|
||||
|
||||
diff --git a/third_party/blink/renderer/core/html/forms/select_type.cc b/third_party/blink/renderer/core/html/forms/select_type.cc
|
||||
index 345cbeb26823c5f111f2bc2b98fc15f99efe3314..b5a7e169964b40a51b073ae13b2922019bee0927 100644
|
||||
--- a/third_party/blink/renderer/core/html/forms/select_type.cc
|
||||
+++ b/third_party/blink/renderer/core/html/forms/select_type.cc
|
||||
@@ -709,7 +709,7 @@ bool ListBoxSelectType::DefaultEventHandler(const Event& event) {
|
||||
|
||||
if (Page* page = select_->GetDocument().GetPage()) {
|
||||
page->GetAutoscrollController().StartAutoscrollForSelection(
|
||||
- layout_object);
|
||||
+ select_->GetLayoutObject());
|
||||
}
|
||||
}
|
||||
// Mousedown didn't happen in this element.
|
||||
diff --git a/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash-expected.txt b/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash-expected.txt
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..cbe81f73ef4a3684565b70d51fe460b22702964f
|
||||
--- /dev/null
|
||||
+++ b/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash-expected.txt
|
||||
@@ -0,0 +1 @@
|
||||
+PASS - this test passes if it does not crash (ASAN)
|
||||
diff --git a/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash.html b/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash.html
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..8e9361dd7cd1f954a2c482aab7c182789ddc0701
|
||||
--- /dev/null
|
||||
+++ b/third_party/blink/web_tests/fast/forms/select/select-change-layout-object-crash.html
|
||||
@@ -0,0 +1,17 @@
|
||||
+<style>
|
||||
+.c:hover { display: block; }
|
||||
+</style>
|
||||
+
|
||||
+<select id=target autofocus=autofocus size=2 class=c></select>
|
||||
+
|
||||
+<script>
|
||||
+if (window.testRunner)
|
||||
+ testRunner.dumpAsText();
|
||||
+
|
||||
+window.onload = function() {
|
||||
+ eventSender.beginDragWithFiles( ["resources/file-for-drag-to-navigate.html"]);
|
||||
+ eventSender.mouseMoveTo(target.offsetLeft + 5, target.offsetTop + 5);
|
||||
+};
|
||||
+</script>
|
||||
+
|
||||
+<p>PASS - this test passes if it does not crash (ASAN)</p>
|
||||
Reference in New Issue
Block a user