[Backport] CVE-2021-21203: Use after free in Blink

Cherry-pick of commit originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2792423:
Don't erase InterpolationTypes used by other documents

A registered custom property in one document caused the entry for the
same custom property (unregistered) used in another document to be
deleted, which caused a use-after-free.

Only store the CSSDefaultInterpolationType for unregistered custom
properties and never store registered properties in the map. They may
have different types in different documents when registered.

Bug: 1192054
Change-Id: I1af03d0a298795db99acc9c62f0d0fff8a5e801d
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Reviewed-by: Robert Flack <flackr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#867692}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 10 insertions, 16 deletions

diff --git a/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc b/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc
index 0dbbc626a3f..8fa2a720510 100644
--- a/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc
+++ b/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc
@@ -83,28 +83,22 @@ const InterpolationTypes& CSSInterpolationTypesMap::Get(
   DEFINE_STATIC_LOCAL(ApplicableTypesMap, all_applicable_types_map, ());
   DEFINE_STATIC_LOCAL(ApplicableTypesMap, composited_applicable_types_map, ());
 
-  ApplicableTypesMap& applicable_types_map =
-      allow_all_animations_ ? all_applicable_types_map
-                            : composited_applicable_types_map;
-
-  auto entry = applicable_types_map.find(property);
-  bool found_entry = entry != applicable_types_map.end();
-
   // Custom property interpolation types may change over time so don't trust the
-  // applicableTypesMap without checking the registry.
+  // applicable_types_map without checking the registry. Also since the static
+  // map is shared between documents, the registered type may be different in
+  // the different documents.
   if (registry_ && property.IsCSSCustomProperty()) {
-    const auto* registration = GetRegistration(registry_, property);
-    if (registration) {
-      if (found_entry) {
-        applicable_types_map.erase(entry);
-      }
+    if (const auto* registration = GetRegistration(registry_, property))
       return registration->GetInterpolationTypes();
-    }
   }
 
-  if (found_entry) {
+  ApplicableTypesMap& applicable_types_map =
+      allow_all_animations_ ? all_applicable_types_map
+                            : composited_applicable_types_map;
+
+  auto entry = applicable_types_map.find(property);
+  if (entry != applicable_types_map.end())
     return *entry->value;
-  }
 
   std::unique_ptr<InterpolationTypes> applicable_types =
       std::make_unique<InterpolationTypes>();