diff options
author | Darwin Huang <huangdarwin@chromium.org> | 2020-11-10 00:30:53 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-12-07 22:24:24 +0000 |
commit | 8e776e6e6f5e4642088d85318d0f6263ce649704 (patch) | |
tree | a6edd4f1afbb8e76290c5565e84f5aa5e1449e21 | |
parent | ade0aef290c67070ee2e431c34c33dde00f3559a (diff) |
[Backport] CVE-2020-16014: Use after free in PPAPI
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2527065:
Pepper: Ensure weak pointer is still valid before use.
Bug: 1146675
Change-Id: I382dcb5c0b09a26e3c397ebef46947f626e2aef9
Reviewed-by: Bill Budge <bbudge@chromium.org>
Commit-Queue: Darwin Huang <huangdarwin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#825558}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc b/chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc index 474c1683dcd..8ae20bd4bcd 100644 --- a/chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc +++ b/chromium/content/browser/renderer_host/pepper/pepper_file_io_host.cc @@ -250,7 +250,12 @@ void PepperFileIOHost::GotUIThreadStuffForInternalFileSystems( return; } - DCHECK(file_system_host_.get()); + if (!file_system_host_.get()) { + reply_context.params.set_result(PP_ERROR_FAILED); + SendOpenErrorReply(reply_context); + return; + } + DCHECK(file_system_host_->GetFileSystemOperationRunner()); file_system_host_->GetFileSystemOperationRunner()->OpenFile( |