From 2419957e28c095bbc86ac1df87744d2087356a8f Mon Sep 17 00:00:00 2001 From: Jana Grill Date: Wed, 14 Apr 2021 08:40:10 +0000 Subject: [Backport] CVE-2021-21206: Use after free in Blink Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2821879: Forbid script execution while updating the paint lifecycle. (cherry picked from commit 5425d3b100fab533ea9ddc2ed8fbfc4870db0587) Bug: 1196781 Change-Id: Idc8d24792d5c413691977b09ca821de4e13887ad Commit-Queue: Adrian Taylor Commit-Queue: Robert Flack Reviewed-by: Xianzhu Wang Cr-Original-Commit-Position: refs/heads/master@{#870275} Reviewed-by: Robert Flack Reviewed-by: Achuith Bhandarkar Reviewed-by: Victor-Gabriel Savu Commit-Queue: Jana Grill Cr-Commit-Position: refs/branch-heads/4240@{#1601} Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} Reviewed-by: Allan Sandfeld Jensen --- .../blink/renderer/core/frame/local_frame_view.cc | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc b/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc index 60288427035..d470bd94093 100644 --- a/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc +++ b/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc @@ -2766,11 +2766,14 @@ void LocalFrameView::RunPaintLifecyclePhase() { for (PaintLayerScrollableArea* area : *animating_scrollable_areas) area->UpdateCompositorScrollAnimations(); } - frame_view.GetLayoutView() - ->GetDocument() - .GetDocumentAnimations() - .UpdateAnimations(DocumentLifecycle::kPaintClean, - paint_artifact_compositor_.get()); + { + ScriptForbiddenScope forbid_script; + frame_view.GetLayoutView() + ->GetDocument() + .GetDocumentAnimations() + .UpdateAnimations(DocumentLifecycle::kPaintClean, + paint_artifact_compositor_.get()); + } }); // Initialize animation properties in the newly created paint property -- cgit v1.2.3