File CVE-2022-0971-qtwebengine-5.15.patch of Package qt6-webengine

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-0971-qtwebengine-5.15.patch of Package qt6-webengine

From d13d0924c4e18ecc4b79adf0fec142ee9a9eaa14 Mon Sep 17 00:00:00 2001
From: "liberato@chromium.org" <liberato@chromium.org>
Date: Mon, 7 Mar 2022 20:17:13 +0000
Subject: [Backport] CVE-2022-0971

Don't use a deleted RenderFrameHost.

Since we do not check for frame liveness, a RenderFrameHost might be
deleted (in the use-after-free sense) without another call to
RenderFrameDeleted.  So, WeakPtr it to avoid these cases.

Bug: 1299422

Task-number: QTBUG-101946
Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../display_cutout/display_cutout_host_impl.cc     | 29 +++++++++++++---------
 .../display_cutout/display_cutout_host_impl.h      | 10 ++++++--
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
index 1640ec83489..8f89cc24b5f 100644
--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
+++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
@@ -5,6 +5,7 @@
 #include "content/browser/display_cutout/display_cutout_host_impl.h"
 
 #include "content/browser/display_cutout/display_cutout_constants.h"
+#include "content/browser/renderer_host/render_frame_host_impl.h"
 #include "content/browser/web_contents/web_contents_impl.h"
 #include "content/public/browser/navigation_handle.h"
 #include "mojo/public/cpp/bindings/associated_remote.h"
@@ -33,7 +34,7 @@ void DisplayCutoutHostImpl::ViewportFitChangedForFrame(
 
   // If we are the current |RenderFrameHost| frame then notify
   // WebContentsObservers about the new value.
-  if (current_rfh_ == rfh)
+  if (current_rfh_.get() == rfh)
     web_contents_impl_->NotifyViewportFitChanged(value);
 
   MaybeQueueUKMEvent(rfh);
@@ -60,7 +61,9 @@ void DisplayCutoutHostImpl::DidFinishNavigation(
 
   // If we finish a main frame navigation and the |WebDisplayMode| is
   // fullscreen then we should make the main frame the current
-  // |RenderFrameHost|.
+  // |RenderFrameHost|.  Note that this is probably not correct; we do not check
+  // that the navigation completed successfully, nor do we check if the main
+  // frame is still IsRenderFrameLive().
   blink::mojom::DisplayMode mode = web_contents_impl_->GetDisplayMode();
   if (mode == blink::mojom::DisplayMode::kFullscreen)
     SetCurrentRenderFrameHost(web_contents_impl_->GetMainFrame());
@@ -70,7 +73,7 @@ void DisplayCutoutHostImpl::RenderFrameDeleted(RenderFrameHost* rfh) {
   values_.erase(rfh);
 
   // If we were the current |RenderFrameHost| then we should clear that.
-  if (current_rfh_ == rfh)
+  if (current_rfh_.get() == rfh)
     SetCurrentRenderFrameHost(nullptr);
 }
 
@@ -87,7 +90,7 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) {
   insets_ = insets;
 
   if (current_rfh_)
-    SendSafeAreaToFrame(current_rfh_, insets);
+    SendSafeAreaToFrame(current_rfh_.get(), insets);
 
   // If we have a pending UKM event on the top of the stack that is |kAllowed|
   // and we have a |current_rfh_| then we should update that UKM event as it
@@ -100,26 +103,28 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) {
 }
 
 void DisplayCutoutHostImpl::SetCurrentRenderFrameHost(RenderFrameHost* rfh) {
-  if (current_rfh_ == rfh)
+  if (current_rfh_.get() == rfh)
     return;
 
   // If we had a previous frame then we should clear the insets on that frame.
   if (current_rfh_)
-    SendSafeAreaToFrame(current_rfh_, gfx::Insets());
-
-  // Update the |current_rfh_| with the new frame.
-  current_rfh_ = rfh;
+    SendSafeAreaToFrame(current_rfh_.get(), gfx::Insets());
 
   // If the new RenderFrameHost is nullptr we should stop here and notify
   // observers that the new viewport fit is kAuto (the default).
   if (!rfh) {
+    current_rfh_ = nullptr;
     web_contents_impl_->NotifyViewportFitChanged(
         blink::mojom::ViewportFit::kAuto);
     return;
   }
 
+
+  // Update the |current_rfh_| with the new frame.
+  current_rfh_ = static_cast<RenderFrameHostImpl*>(rfh)->GetWeakPtr();
+
   // Record a UKM event for the new frame.
-  MaybeQueueUKMEvent(current_rfh_);
+  MaybeQueueUKMEvent(current_rfh_.get());
 
   // Send the current safe area to the new frame.
   SendSafeAreaToFrame(rfh, insets_);
@@ -159,11 +164,11 @@ void DisplayCutoutHostImpl::MaybeQueueUKMEvent(RenderFrameHost* frame) {
   blink::mojom::ViewportFit supplied_value = GetValueOrDefault(frame);
   if (supplied_value == blink::mojom::ViewportFit::kAuto)
     return;
-  blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_);
+  blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_.get());
 
   // Set the reason why this frame is not the current frame.
   int ignored_reason = DisplayCutoutIgnoredReason::kAllowed;
-  if (current_rfh_ != frame) {
+  if (current_rfh_.get() != frame) {
     ignored_reason =
         current_rfh_ == nullptr
             ? DisplayCutoutIgnoredReason::kWebContentsNotFullscreen
diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
index 56081029df0..2477a4bcd7d 100644
--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
+++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
@@ -5,12 +5,15 @@
 #ifndef CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_
 #define CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_
 
+#include "base/memory/weak_ptr.h"
 #include "content/public/browser/web_contents_observer.h"
 #include "content/public/browser/web_contents_receiver_set.h"
 #include "third_party/blink/public/mojom/page/display_cutout.mojom.h"
 
 namespace content {
 
+class RenderFrameHostImpl;
+
 class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost {
  public:
   explicit DisplayCutoutHostImpl(WebContentsImpl*);
@@ -74,8 +77,11 @@ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost {
   gfx::Insets insets_;
 
   // Stores the current |RenderFrameHost| that has the applied safe area insets
-  // and is controlling the viewport fit value.
-  RenderFrameHost* current_rfh_ = nullptr;
+  // and is controlling the viewport fit value. This value is different than
+  // `WebContentsImpl::current_fullscreen_frame_` because it also considers
+  // browser side driven fullscreen mode, not just renderer side requested
+  // frames.
+  base::WeakPtr<RenderFrameHostImpl> current_rfh_;
 
   // Stores a map of RenderFrameHosts and their current viewport fit values.
   std::map<RenderFrameHost*, blink::mojom::ViewportFit> values_;
-- 
cgit v1.2.1

Places

File CVE-2022-0971-qtwebengine-5.15.patch of Package qt6-webengine

Places