Home Explore 引导页 在线工具 Blog
Register Sign In
Pchen0
/
electron
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

chore: cherry-pick b7ccc3f6cc from chromium (#25896)

* chore: cherry-pick b7ccc3f6cc from chromium

* update patches

Co-authored-by: Electron Bot <[email protected]>
Pedro Pontes 4 years ago
parent
5e6c03c5c5
commit
40f0c01e15
2 changed files with 51 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      patches/chromium/.patches
  2. 50 0
      patches/chromium/avoid_use-after-free.patch

+ 1 - 0
patches/chromium/.patches
View File 

@@ -140,3 +140,4 @@ cherry-pick-814a27f8522b.patch
 
 cherry-pick-adc731d678c4.patch
 
 cherry-pick-52dceba66599.patch
 
 cherry-pick-abc6ab85e704.patch
 
+avoid_use-after-free.patch

+ 50 - 0
patches/chromium/avoid_use-after-free.patch
View File 

@@ -0,0 +1,50 @@
 
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 
+From: Bruce Dawson <[email protected]>
 
+Date: Thu, 17 Sep 2020 22:34:58 +0000
 
+Subject: Avoid use-after-free
 
+
 
+SetNotWaitingForResponse can trigger a message pump which can then free
 
+the object which |this| points to. This use-after-free can be avoided by
 
+not dereferencing |this| after the call, by ensuring that calling
 
+SetNotWaitingForResponse is the last thing done.
 
+
 
+(cherry picked from commit e1c5c8442210bccfbc2475c9bc75a9cf99bb259e)
 
+
 
+Bug: 1125199
 
+Change-Id: Ie1289c93112151978e6daaa1d24326770028c529
 
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2407065
 
+Reviewed-by: Alex Moshchuk <[email protected]>
 
+Commit-Queue: Bruce Dawson <[email protected]>
 
+Cr-Original-Commit-Position: refs/heads/master@{#806839}
 
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416264
 
+Reviewed-by: Bruce Dawson <[email protected]>
 
+Cr-Commit-Position: refs/branch-heads/4240@{#816}
 
+Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
 
+
 
+diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
 
+index 5b4f85cfadac54fa81a357ebece6f9b274066a29..d300755ec1402d7bd0fb9488a2829962b98853cb 100644
 
+--- a/content/browser/web_contents/web_contents_impl.cc
 
++++ b/content/browser/web_contents/web_contents_impl.cc
 
+@@ -3409,10 +3409,11 @@ void WebContentsImpl::SetNotWaitingForResponse() {
 
+     return;
 
+ 
+   waiting_for_response_ = false;
 
+-  if (delegate_)
 
+-    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
 
+   for (auto& observer : observers_)
 
+     observer.DidReceiveResponse();
 
++
 
++  if (delegate_)
 
++    delegate_->LoadingStateChanged(this, is_load_to_different_document_);
 
+ }
 
+ 
+ void WebContentsImpl::SendScreenRects() {
 
+@@ -4526,6 +4527,8 @@ void WebContentsImpl::ReadyToCommitNavigation(
 
+             : false);
 
+   }
 
+ 
++  // LoadingStateChanged must be called last in case it triggers deletion of
 
++  // |this| due to recursive message pumps.
 
+   SetNotWaitingForResponse();
 
+ }
 
+