Fix use-after-free in URLRequestCustomJobProxy::reply

The following operations are executing concurrently on the UI & IO threads: 1. UI thread executes QWebEngineUrlRequestJob::reply --> PostTask(IO, URLRequestCustomJobProxy::reply). IO thread executes URLRequestCustomJob::Kill --> PostTask(UI, URLRequestCustomJobProxy::release). 2. UI thread executes URLRequestCustomJobProxy::release, then deletes the QWebEngineUrlRequestJob and the QIODevice. IO thread executes URLRequestCustomJobProxy::reply and tries to use the QIODevice. Depending on scheduling, the IO thread will try to use the QIODevice after it has been deleted on the UI thread. Change-Id: I7a9793a7492a493e1787e7ee6d0058c0d1aa00ac Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Jüri Valdmann <juri.valdmann@qt.io> 2018-11-26 14:37:49 +0100
committer: Jüri Valdmann <juri.valdmann@qt.io> 2018-11-27 08:31:44 +0000
commit: bd34017fdd17a1044bd645c68386fda29ab77d0d (patch)
tree: 88a1515e204215530f19962919502900875b17a0 /src/core/net
parent: 44abfea789b8677a741530c44a0cd35e5276ddf3 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/net/url_request_custom_job.cpp b/src/core/net/url_request_custom_job.cpp
index ecfa8e17a..d371c7bff 100644
--- a/src/core/net/url_request_custom_job.cpp
+++ b/src/core/net/url_request_custom_job.cpp
@@ -84,6 +84,7 @@ void URLRequestCustomJob::Start()
 void URLRequestCustomJob::Kill()
 {
     DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
+    m_proxy->m_job = nullptr;
     if (m_device && m_device->isOpen())
         m_device->close();
     if (m_pendingReadBuffer) {
author	Jüri Valdmann <juri.valdmann@qt.io>	2018-11-26 14:37:49 +0100
committer	Jüri Valdmann <juri.valdmann@qt.io>	2018-11-27 08:31:44 +0000
commit	bd34017fdd17a1044bd645c68386fda29ab77d0d (patch)
tree	88a1515e204215530f19962919502900875b17a0 /src/core/net
parent	44abfea789b8677a741530c44a0cd35e5276ddf3 (diff)