Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix UaF in ui::DropTargetEvent::DropTargetEvent.
There is an async operation in WebContentsViewAura that uses a ui::DropTargetEvent. DropTargetEvent has a pointer to OSExchangeData which gets destroyed before the async operation is called. This triggers the UaF because the operation attempts to reference a freed object (OSExchangeData). Fix is for WebContentsViewAura::DragUpdatedCallback to use a DropMetadata struct instead of a ui::DropTargetEvent. This is the same pattern used by other callbacks in WebContentsViewAura. (cherry picked from commit 9f4b576) Bug: 1392661 Change-Id: I3c62a7473ef9b6cdd223f75fbda50671f539f9eb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4070787 Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: David Yeung <dayeung@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1078218} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4085256 Cr-Commit-Position: refs/branch-heads/5359@{#1125} Cr-Branched-From: 27d3765-refs/heads/main@{#1058933}
- Loading branch information
David Yeung
authored and
Chromium LUCI CQ
committed
Dec 8, 2022
1 parent
e4b9523
commit eed5a4d
Showing
2 changed files
with
15 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters