Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick b1b3ccbd57 from chromium. #25852

Merged
merged 2 commits into from Oct 15, 2020
Merged

chore: cherry-pick b1b3ccbd57 from chromium. #25852

merged 2 commits into from Oct 15, 2020

Conversation

ppontes
Copy link
Member

@ppontes ppontes commented Oct 9, 2020
edited

Don't create providers if context is lost

CanvasResourceProvider::CreateSharedImageProvider receives a weak pointer
to the ContextProviderWrapper and returns nullptr if it does not exist.

Unfortunately SharedGpuContext::IsGpuCompositingEnabled can re-create
the ContextProviderWrapper after this check happens, leading to potential
use-after-frees.

To me it simply makes the most sense to not create a CRP if context is
lost, as the created provider would be invalid and nullptr would get
returned anyway.

Bug: 1126424
Change-Id: Ic92709d7a38d94e5e7529efac3a09405d64eaa34
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2417097
Reviewed-by: Juanmi Huertas juanmihd@chromium.org
Reviewed-by: Fernando Serboncini fserb@chromium.org
Commit-Queue: Aaron Krajeski aaronhk@chromium.org
Cr-Commit-Position: refs/heads/master@{#809327}

Release Notes

Notes: Backported the fix to CVE-2020-15968: Use after free in Blink.

@ppontes ppontes added 10-x-y backport-check-skip Skip trop's backport validity checking labels Oct 9, 2020
@ppontes ppontes requested a review from a team as a code owner October 9, 2020 12:16
@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Oct 9, 2020
@ppontes ppontes force-pushed the ppontes/cherry-pick/10-x-y/chromium/7e42e0a7c6-n-b1b3ccbd57 branch from bfbef61 to ed4f117 Compare October 9, 2020 12:24
@ppontes ppontes changed the title chore: cherry-pick 7e42e0a7c6 and b1b3ccbd57 from chromium. chore: cherry-pick b1b3ccbd57 from chromium. Oct 9, 2020
@codebytere
Copy link
Member

@ppontes the patches need update - you can also just curl & apply https://680101-9384267-gh.circle-artifacts.com/0/patches/update-patches.patch

@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label Oct 10, 2020
@ppontes ppontes force-pushed the ppontes/cherry-pick/10-x-y/chromium/7e42e0a7c6-n-b1b3ccbd57 branch from 29c5a9a to 9640650 Compare October 14, 2020 14:26
@zcbenz zcbenz merged commit fb482ae into 10-x-y Oct 15, 2020
@release-clerk
Copy link

release-clerk bot commented Oct 15, 2020

Release Notes Persisted

Backported the fix to CVE-2020-15968: Use after free in Blink.

@zcbenz zcbenz deleted the ppontes/cherry-pick/10-x-y/chromium/7e42e0a7c6-n-b1b3ccbd57 branch October 15, 2020 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nornagon nornagon nornagon approved these changes

@zcbenz zcbenz zcbenz approved these changes

Assignees
No one assigned
Labels
10-x-y backport-check-skip Skip trop's backport validity checking
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ppontes @codebytere @nornagon @zcbenz