Pchen0/electron

chore: cherry-pick cf90db14f2 from chromium (#38276)

* chore: cherry-pick cf90db14f2 from chromium

* chore: update patches

---------

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>

Pedro Pontes 1 year ago

parent

08ae619c5d

commit

53d9cdbaf0

2 changed files with 44 additions and 0 deletions

Split View Show Diff Stats

						
							+ 1
							
							- 0
						
patches/chromium/.patches
							 
								View File
							
				@@ -140,3 +140,4 @@ merge_m112_remove_the_second_weakptrfactory_from.patch
			
				 merge_m112_check_spdyproxyclientsocket_is_alive_after_write.patch
			
				 check_callback_availability_in.patch
			
				 m112_cherry_pick_libxml_cve_fix.patch
			
				+m112_fix_scopedobservation_uaf_in.patch

						
							+ 43
							
							- 0
						
patches/chromium/m112_fix_scopedobservation_uaf_in.patch
							 
								View File
							
				@@ -0,0 +1,43 @@
			
				+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
			
				+From: Keren Zhu <[email protected]>
			
				+Date: Mon, 24 Apr 2023 15:36:21 +0000
			
				+Subject: Fix ScopedObservation UaF in
			
				+ BubbleDialogDelegate::AnchorWidgetObserver
			
				+
			
				+A ScopedObservation can outlive the aura::Window it observes, leading to
			
				+a use-after-free error in ~ScopedObservation(). The problem occurs in
			
				+BubbleDialogDelegate::AnchorWidgetObserver. This fix listens for
			
				+OnWindowDestroying() and resets the observation to prevent the UaF.
			
				+
			
				+(cherry picked from commit 72bd6a1018548ee63a2ec06d6c7714d3a8cdf8a8)
			
				+
			
				+Bug: 1423360
			
				+Change-Id: I742b4624b2664dea3fd97db7b399fcd15e45c8fe
			
				+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4455016
			
				+Code-Coverage: Findit <[email protected]>
			
				+Reviewed-by: Elly Fong-Jones <[email protected]>
			
				+Commit-Queue: Keren Zhu <[email protected]>
			
				+Cr-Original-Commit-Position: refs/heads/main@{#1133511}
			
				+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4466947
			
				+Reviewed-by: Allen Bauer <[email protected]>
			
				+Cr-Commit-Position: refs/branch-heads/5615@{#1353}
			
				+Cr-Branched-From: 9c6408ef696e83a9936b82bbead3d41c93c82ee4-refs/heads/main@{#1109224}
			
				+
			
				+diff --git a/ui/views/bubble/bubble_dialog_delegate_view.cc b/ui/views/bubble/bubble_dialog_delegate_view.cc
			
				+index 83c8a188d455b0db143b4747ef79d8d72d7717ca..0fca4fa9786ae405cc9f9198f21a2aaae66f748d 100644
			
				+--- a/ui/views/bubble/bubble_dialog_delegate_view.cc
			
				++++ b/ui/views/bubble/bubble_dialog_delegate_view.cc
			
				+@@ -320,6 +320,13 @@ class BubbleDialogDelegate::AnchorWidgetObserver : public WidgetObserver,
			
				+       owner_->OnAnchorBoundsChanged();
			
				+     }
			
				+   }
			
				++
			
				++  // If the native window is closed by the OS, OnWidgetDestroying() won't
			
				++  // fire. Instead, OnWindowDestroying() will fire before aura::Window
			
				++  // destruction. See //docs/ui/views/widget_destruction.md.
			
				++  void OnWindowDestroying(aura::Window* window) override {
			
				++    window_observation_.Reset();
			
				++  }
			
				+ #endif
			
				+ 
			
				+  private:

chore: cherry-pick cf90db14f2 from chromium (#38276)

+ 1 - 0 patches/chromium/.patches View File

+ 43 - 0 patches/chromium/m112_fix_scopedobservation_uaf_in.patch View File

+ 1 - 0
patches/chromium/.patches
View File

+ 43 - 0
patches/chromium/m112_fix_scopedobservation_uaf_in.patch
View File