commit | da8ef10a54a9f8d1126b19ccbad0fe2d9d2ccdda | [log] [tgz] |
---|---|---|
author | Nicholas Hollingum <hollingum@google.com> | Mon Jun 24 00:16:37 2019 |
committer | Commit Bot <commit-bot@chromium.org> | Mon Jun 24 00:16:37 2019 |
tree | c3b198447f0a4a82019d636c98b1c14fe6746413 | |
parent | fbe4473cae4eef79074878f2cfe63dff7d021d71 [diff] |
Fixed a use-after-free in exo::Pointer Basically you can get the UAF by binding to either one of the delegates twice. Naturally (as a comment suggested) this doesnt make much sense, but its still an attack surface so this fix will stop it. The fix means that if a user binds the delegate's interface twice, then we will only keep the latest one alive, and we simulate removal of the pointer interface for the other (which prevents it from invoking methods on that pointer during its destruction). Bug: b:135720248 Change-Id: I39f4ca1602058efa650a51a41e3ce7b955bb43bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1670574 Commit-Queue: Nic Hollingum <hollingum@google.com> Reviewed-by: Mitsuru Oshima <oshima@chromium.org> Cr-Commit-Position: refs/heads/master@{#671568}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .