Google Git
Sign in
chromium / chromium / src / da8ef10a54a9f8d1126b19ccbad0fe2d9d2ccdda
commitda8ef10a54a9f8d1126b19ccbad0fe2d9d2ccdda[log] [tgz]
authorNicholas Hollingum <hollingum@google.com>Mon Jun 24 00:16:37 2019
committerCommit Bot <commit-bot@chromium.org>Mon Jun 24 00:16:37 2019
treec3b198447f0a4a82019d636c98b1c14fe6746413
parentfbe4473cae4eef79074878f2cfe63dff7d021d71 [diff]
Fixed a use-after-free in exo::Pointer

Basically you can get the UAF by binding to either one of the delegates
twice.  Naturally (as a comment suggested) this doesnt make much sense,
but its still an attack surface so this fix will stop it.

The fix means that if a user binds the delegate's interface twice, then
we will only keep the latest one alive, and we simulate removal of the
pointer interface for the other (which prevents it from invoking methods
on that pointer during its destruction).

Bug: b:135720248
Change-Id: I39f4ca1602058efa650a51a41e3ce7b955bb43bd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1670574
Commit-Queue: Nic Hollingum <hollingum@google.com>
Reviewed-by: Mitsuru Oshima <oshima@chromium.org>
Cr-Commit-Position: refs/heads/master@{#671568}
1 file changed
tree: c3b198447f0a4a82019d636c98b1c14fe6746413
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. cloud_print/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. jingle/
  31. media/
  32. mojo/
  33. native_client_sdk/
  34. net/
  35. pdf/
  36. ppapi/
  37. printing/
  38. remoting/
  39. rlz/
  40. sandbox/
  41. services/
  42. skia/
  43. sql/
  44. storage/
  45. styleguide/
  46. testing/
  47. third_party/
  48. tools/
  49. ui/
  50. url/
  51. .clang-format
  52. .eslintrc.js
  53. .git-blame-ignore-revs
  54. .gitattributes
  55. .gitignore
  56. .gn
  57. .vpython
  58. AUTHORS
  59. BUILD.gn
  60. CODE_OF_CONDUCT.md
  61. codereview.settings
  62. DEPS
  63. ENG_REVIEW_OWNERS
  64. LICENSE
  65. LICENSE.chromium_os
  66. OWNERS
  67. PRESUBMIT.py
  68. PRESUBMIT_test.py
  69. PRESUBMIT_test_mocks.py
  70. README.md
  71. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .