qt/qtwebengine-chromium.git - Vendor branch of Chromium. This is a submodule of qtwebengine

diff options

author	Ted Meyer <tmathmeyer@chromium.org>	2022-02-23 01:34:20 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-06-03 11:39:16 +0000
commit	ecc2bb74f1f7140fc52650042299be18e826b27b (patch)
tree	1a8ba9ec0a7dcf9617a0ad1f7f979543819b66c3 /.gitattributes
parent	a7a23ccc69e6756e02583e6871cc37151d89a7c2 (diff)

[Backport] CVE-2022-0796: Use after free in Media

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3482463: Guard BatchingMediaLog::event_handlers_ with lock It seems that despite MediaLog::OnWebMediaPlayerDestroyed and MediaLog::AddLogRecord both grabbing a lock, BatchingMediaLog::AddLogRecordLocked can escape the lock handle by posting BatchingMediaLog::SendQueuedMediaEvents, causing a race. When the addition of an event is interrupted by the deletion of a player due to player culling in MediaInspectorContextImpl, a UAF can occur. R=dalecurtis (cherry picked from commit 34526c3d0a857a22618e4d77c7f63b5ca6f8d3d2) Bug: 1295786 Change-Id: I77df94988f806e4d98924669d27860e50455299d Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#970815} Auto-Submit: Ted (Chromium) Meyer <tmathmeyer@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/4758@{#1192} Cr-Branched-From: 4a2cf4baf90326df19c3ee70ff987960d59a386e-refs/heads/main@{#950365} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

Diffstat (limited to '.gitattributes')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: