mirror of
https://github.com/electron/electron.git
synced 2026-05-02 03:00:22 -04:00
c33d43bd67
fix: prevent use-after-free when destroying guest WebContents during event emission Multiple event emission sites in WebContents destroy the underlying C++ object via a JavaScript event handler calling webContents.destroy(), then continue to dereference the freed `this` pointer. This is exploitable through <webview> guest WebContents because Destroy() calls `delete this` synchronously for guests, unlike non-guests which safely defer deletion. The fix has two layers: 1. A new `is_emitting_event_` flag is checked in Destroy() — when true, guest deletion is deferred to a posted task instead of executing synchronously. This is separate from `is_safe_to_delete_` (which gates LoadURL re-entrancy) to avoid rejecting legitimate loadURL calls from event handlers. 2. AutoReset<bool> guards on `is_emitting_event_` are added to CloseContents, RenderViewDeleted, DidFinishNavigation, and SetContentsBounds, preventing synchronous destruction while their Emit() calls are on the stack. Destroy() now requires both `is_safe_to_delete_` (navigation re-entrancy) and `!is_emitting_event_` (event emission) to allow synchronous guest deletion. The existing AutoReset guards on `is_safe_to_delete_` in DidStartNavigation, DidRedirectNavigation, and ReadyToCommitNavigation are also now effective for guests. Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>