diff options
author | Michal Klocek <michal.klocek@qt.io> | 2023-01-13 16:00:48 +0100 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2023-02-28 13:44:16 +0100 |
commit | 44d3935d1491359f1e829de490a2d50c046f8180 (patch) | |
tree | 71c1fc94f45ba6d8bd3b3aa947641cd5f9a74b48 | |
parent | b44f357d511a7af5e3e40583bcd0cbf9c20fa743 (diff) |
Fix use after free in permission grant
The permission grant can become dangling pointer in
origin state struct, fix it.
Change-Id: If16b604a8c3c05d09ea923251dabcae73192dd7d
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 16d3701b1dd4887cc4affb0447ee3b9b7729e7fb)
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
4 files changed, 29 insertions, 2 deletions
diff --git a/src/core/file_system_access/file_system_access_permission_context_qt.cpp b/src/core/file_system_access/file_system_access_permission_context_qt.cpp index 0eb57adde..11a50e1c7 100644 --- a/src/core/file_system_access/file_system_access_permission_context_qt.cpp +++ b/src/core/file_system_access/file_system_access_permission_context_qt.cpp @@ -446,4 +446,22 @@ bool FileSystemAccessPermissionContextQt::AncestorHasActivePermission( return false; } +void FileSystemAccessPermissionContextQt::PermissionGrantDestroyed( + FileSystemAccessPermissionGrantQt *grant) +{ + auto it = m_origins.find(grant->origin()); + if (it == m_origins.end()) + return; + + auto &grants = + grant->type() == GrantType::kRead ? it->second.read_grants : it->second.write_grants; + auto grant_it = grants.find(grant->path()); + + if (grant_it == grants.end()) { + return; + } + if (grant_it->second == grant) + grants.erase(grant_it); +} + } // namespace QtWebEngineCore diff --git a/src/core/file_system_access/file_system_access_permission_context_qt.h b/src/core/file_system_access/file_system_access_permission_context_qt.h index 3c6ffeb40..1e2843ce7 100644 --- a/src/core/file_system_access/file_system_access_permission_context_qt.h +++ b/src/core/file_system_access/file_system_access_permission_context_qt.h @@ -19,7 +19,7 @@ class BrowserContext; } namespace QtWebEngineCore { - +class FileSystemAccessPermissionGrantQt; class FileSystemAccessPermissionContextQt : public content::FileSystemAccessPermissionContext, public KeyedService { @@ -54,6 +54,8 @@ public: void NavigatedAwayFromOrigin(const url::Origin &origin); content::BrowserContext *profile() const { return m_profile; } + void PermissionGrantDestroyed(FileSystemAccessPermissionGrantQt *); + private: class PermissionGrantImpl; diff --git a/src/core/file_system_access/file_system_access_permission_grant_qt.cpp b/src/core/file_system_access/file_system_access_permission_grant_qt.cpp index 27f225755..b9a8f5a26 100644 --- a/src/core/file_system_access/file_system_access_permission_grant_qt.cpp +++ b/src/core/file_system_access/file_system_access_permission_grant_qt.cpp @@ -22,7 +22,11 @@ FileSystemAccessPermissionGrantQt::FileSystemAccessPermissionGrantQt( : m_context(context), m_origin(origin), m_path(path), m_handleType(handle_type), m_type(type) { } - +FileSystemAccessPermissionGrantQt::~FileSystemAccessPermissionGrantQt() +{ + if (m_context) + m_context->PermissionGrantDestroyed(this); +} void FileSystemAccessPermissionGrantQt::RequestPermission( content::GlobalRenderFrameHostId frame_id, UserActivationState user_activation_state, base::OnceCallback<void(PermissionRequestOutcome)> callback) diff --git a/src/core/file_system_access/file_system_access_permission_grant_qt.h b/src/core/file_system_access/file_system_access_permission_grant_qt.h index a54b2a3d3..e1d1ca7e9 100644 --- a/src/core/file_system_access/file_system_access_permission_grant_qt.h +++ b/src/core/file_system_access/file_system_access_permission_grant_qt.h @@ -38,6 +38,9 @@ public: void SetStatus(PermissionStatus status); +protected: + ~FileSystemAccessPermissionGrantQt() override; + private: void OnPermissionRequestResult(base::OnceCallback<void(PermissionRequestOutcome)> callback, PermissionAction result); |