[Merge to M119] Make URLSearchParams persistent to avoid UaF

The URLSearchParams::Create() function returns an on-heap object, but it can be garbage collected, so making it a persistent variable in DidFetchDataLoadedString() mitigates the issue. (cherry picked from commit 8b1bd77) Bug: 1497997 Change-Id: I3c27ba18b9c46d22d841e06f4a91bcc360aad287 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4996929 Reviewed-by: Adam Rice <ricea@chromium.org> Commit-Queue: Nidhi Jaju <nidhijaju@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1218682} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5009227 Commit-Queue: Adam Rice <ricea@chromium.org> Auto-Submit: Nidhi Jaju <nidhijaju@chromium.org> Cr-Commit-Position: refs/branch-heads/6045@{#1260} Cr-Branched-From: 905e8bd-refs/heads/main@{#1204232}
chromium · Nov 8, 2023 · 1e397bb · 1e397bb
1 parent 3baa336
commit 1e397bb
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/third_party/blink/renderer/core/fetch/body.cc b/third_party/blink/renderer/core/fetch/body.cc
@@ -135,8 +135,13 @@ class BodyFormDataConsumer final : public BodyConsumerBase {
 
   void DidFetchDataLoadedString(const String& string) override {
     auto* formData = MakeGarbageCollected<FormData>();
-    for (const auto& pair : URLSearchParams::Create(string)->Params())
+    // URLSearchParams::Create() returns an on-heap object, but it can be
+    // garbage collected, so making it a persistent variable on the stack
+    // mitigates use-after-free scenarios. See crbug.com/1497997.
+    Persistent<URLSearchParams> search_params = URLSearchParams::Create(string);
+    for (const auto& pair : search_params->Params()) {
       formData->append(pair.first, pair.second);
+    }
     DidFetchDataLoadedFormData(formData);
   }
 };