mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
14c64ed2e0
* chore: [19-x-y] cherry-pick 51daffbf5cd8 from chromium * chore: update patches Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: Electron Bot <electron@github.com> Co-authored-by: Charles Kerr <charles@charleskerr.com>
46 lines
2.1 KiB
Diff
46 lines
2.1 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Yutaka Hirano <yhirano@chromium.org>
|
|
Date: Mon, 4 Jul 2022 11:48:20 +0000
|
|
Subject: Fix UAF on network::URLLoader
|
|
|
|
network::URLLoader::SetUpUpload calls NotifyCompleted asynchronously,
|
|
as it can be called in the constructor and we don't want to run
|
|
NotifyCompleted in the constructor.
|
|
|
|
The problem is that it attaches a raw pointer to the method, which leads to a use-after-free problem if the URLLoader is destructed before
|
|
NotifyCompleted is called.
|
|
|
|
Use weak pointers instead of raw pointers to avoid the problem.
|
|
|
|
Bug: 1340253
|
|
Change-Id: Iacb1e772bf7a8e3de4a7bb9de342fea9ba0f3f3c
|
|
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3740150
|
|
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
|
|
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
|
|
Cr-Commit-Position: refs/heads/main@{#1020539}
|
|
|
|
diff --git a/services/network/url_loader.cc b/services/network/url_loader.cc
|
|
index dbe9e809898ee720c0670e9c6db73c38658613b2..666e82ee2f14a77592b52159ee81a2029de28172 100644
|
|
--- a/services/network/url_loader.cc
|
|
+++ b/services/network/url_loader.cc
|
|
@@ -793,8 +793,8 @@ void URLLoader::OpenFilesForUpload(const ResourceRequest& request) {
|
|
// initializing before getting deleted.
|
|
base::SequencedTaskRunnerHandle::Get()->PostTask(
|
|
FROM_HERE,
|
|
- base::BindOnce(&URLLoader::NotifyCompleted, base::Unretained(this),
|
|
- net::ERR_ACCESS_DENIED));
|
|
+ base::BindOnce(&URLLoader::NotifyCompleted,
|
|
+ weak_ptr_factory_.GetWeakPtr(), net::ERR_ACCESS_DENIED));
|
|
return;
|
|
}
|
|
url_request_->LogBlockedBy("Opening Files");
|
|
@@ -813,7 +813,7 @@ void URLLoader::SetUpUpload(const ResourceRequest& request,
|
|
// initializing before getting deleted.
|
|
base::SequencedTaskRunnerHandle::Get()->PostTask(
|
|
FROM_HERE, base::BindOnce(&URLLoader::NotifyCompleted,
|
|
- base::Unretained(this), error_code));
|
|
+ weak_ptr_factory_.GetWeakPtr(), error_code));
|
|
return;
|
|
}
|
|
scoped_refptr<base::SequencedTaskRunner> task_runner =
|