From c53cc6c9f24c1f87e556e01cede8dffc82367d0e Mon Sep 17 00:00:00 2001 From: Rune Lillesveen Date: Tue, 30 Mar 2021 18:36:59 +0000 Subject: [Backport] CVE-2021-21203: Use after free in Blink Cherry-pick of commit originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2792423: Don't erase InterpolationTypes used by other documents A registered custom property in one document caused the entry for the same custom property (unregistered) used in another document to be deleted, which caused a use-after-free. Only store the CSSDefaultInterpolationType for unregistered custom properties and never store registered properties in the map. They may have different types in different documents when registered. Bug: 1192054 Change-Id: I1af03d0a298795db99acc9c62f0d0fff8a5e801d Commit-Queue: Rune Lillesveen Reviewed-by: Robert Flack Cr-Commit-Position: refs/heads/master@{#867692} Reviewed-by: Allan Sandfeld Jensen --- .../core/animation/css_interpolation_types_map.cc | 26 +++++++++------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc b/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc index 0dbbc626a3f..8fa2a720510 100644 --- a/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc +++ b/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc @@ -83,28 +83,22 @@ const InterpolationTypes& CSSInterpolationTypesMap::Get( DEFINE_STATIC_LOCAL(ApplicableTypesMap, all_applicable_types_map, ()); DEFINE_STATIC_LOCAL(ApplicableTypesMap, composited_applicable_types_map, ()); - ApplicableTypesMap& applicable_types_map = - allow_all_animations_ ? all_applicable_types_map - : composited_applicable_types_map; - - auto entry = applicable_types_map.find(property); - bool found_entry = entry != applicable_types_map.end(); - // Custom property interpolation types may change over time so don't trust the - // applicableTypesMap without checking the registry. + // applicable_types_map without checking the registry. Also since the static + // map is shared between documents, the registered type may be different in + // the different documents. if (registry_ && property.IsCSSCustomProperty()) { - const auto* registration = GetRegistration(registry_, property); - if (registration) { - if (found_entry) { - applicable_types_map.erase(entry); - } + if (const auto* registration = GetRegistration(registry_, property)) return registration->GetInterpolationTypes(); - } } - if (found_entry) { + ApplicableTypesMap& applicable_types_map = + allow_all_animations_ ? all_applicable_types_map + : composited_applicable_types_map; + + auto entry = applicable_types_map.find(property); + if (entry != applicable_types_map.end()) return *entry->value; - } std::unique_ptr applicable_types = std::make_unique(); -- cgit v1.2.3