Skip to content

GitLab

T
tangled
Commit 1522c9a7 authored by Miyoung Shin's avatar Miyoung Shin Committed by Commit Bot
Browse files
Options

Fix UAF crash in PermissionServiceContext::CreateServiceForWorker 

This CL recreates the |permission_service_context_| on-demand in
RenderProcessHostImpl::CreatePermissionService to avoid accessing
the nullptr.

Bug: 1036779
Change-Id: I1f464de70a6e4b281380b9b83fee06e012831236
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2014720Reviewed-by: default avatarBalazs Engedy <engedy@chromium.org>
Reviewed-by: default avatarBo <boliu@chromium.org>
Commit-Queue: Miyoung Shin <myid.shin@igalia.com>
Cr-Commit-Position: refs/heads/master@{#735402}
parent 66b8ef83
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 1 deletion
content/browser/renderer_host/render_process_host_impl.cc
View file @ 1522c9a7
...@@ -1497,7 +1497,6 @@ RenderProcessHostImpl::RenderProcessHostImpl( ...@@ -1497,7 +1497,6 @@ RenderProcessHostImpl::RenderProcessHostImpl(
is_unused_(true), is_unused_(true),
delayed_cleanup_needed_(false), delayed_cleanup_needed_(false),
within_process_died_observer_(false), within_process_died_observer_(false),
permission_service_context_(new PermissionServiceContext(this)),
indexed_db_factory_( indexed_db_factory_(
new IndexedDBDispatcherHost( new IndexedDBDispatcherHost(
id_, id_,
...@@ -2014,6 +2013,10 @@ void RenderProcessHostImpl::CreatePermissionService( ...@@ -2014,6 +2013,10 @@ void RenderProcessHostImpl::CreatePermissionService(
const url::Origin& origin, const url::Origin& origin,
mojo::PendingReceiver<blink::mojom::PermissionService> receiver) { mojo::PendingReceiver<blink::mojom::PermissionService> receiver) {
DCHECK_CURRENTLY_ON(BrowserThread::UI); DCHECK_CURRENTLY_ON(BrowserThread::UI);
if (!permission_service_context_)
permission_service_context_.reset(new PermissionServiceContext(this));
permission_service_context_->CreateServiceForWorker(origin, permission_service_context_->CreateServiceForWorker(origin,
std::move(receiver)); std::move(receiver));
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment