Fix poison address in blink::CanvasResourceHost::InitializeForRecording

After allocate a large buffer in memory and creating canvas, it will trigger the garbage collection from v8, which will trigger HtmlCanvasElement::Dispose to be called. This call will cause the canvas element detached from the |host|. However the |host| is saved as a valid callback in the observer list of the canvas resource provider. Calling this |host| without canvas element causes this access to poison address. In my fix, after garbage collection is triggered and dispose is called, DiscardResourceProvider() is called as well, so it removes itself from the observer list. Bug: 1158266 Change-Id: I40bfc24ff5dcdb7a248114220100b6dd54ac06f4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2595734 Commit-Queue: Jeremy Roman <jbroman@chromium.org> Commit-Queue: Yi Xu <yiyix@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#838228}

Fix poison address in blink::CanvasResourceHost::InitializeForRecording
After allocate a large buffer in memory and creating canvas, it will trigger the garbage collection from v8, which will trigger HtmlCanvasElement::Dispose to be called. This call will cause the canvas element detached from the |host|. However the |host| is saved as a valid callback in the observer list of the canvas resource provider. Calling this |host| without canvas element causes this access to poison address. In my fix, after garbage collection is triggered and dispose is called, DiscardResourceProvider() is called as well, so it removes itself from the observer list. Bug: 1158266 Change-Id: I40bfc24ff5dcdb7a248114220100b6dd54ac06f4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2595734 Commit-Queue: Jeremy Roman <jbroman@chromium.org> Commit-Queue: Yi Xu <yiyix@chromium.org> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#838228}
aedd4d97 · yiyix · Chromium LUCI CQ · cb3f8450 · aedd4d97
Commit aedd4d97 authored Dec 17, 2020 by yiyix Committed by Chromium LUCI CQ Dec 17, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

third_party/blink/renderer/core/html/canvas/html_canvas_element.cc ...ty/blink/renderer/core/html/canvas/html_canvas_element.cc +1 -0

No files found.
--- a/third_party/blink/renderer/core/html/canvas/html_canvas_element.cc
+++ b/third_party/blink/renderer/core/html/canvas/html_canvas_element.cc
@@ -151,6 +151,7 @@ void HTMLCanvasElement::Dispose() {

  // We need to drop frame dispatcher, to prevent mojo calls from completing.
  frame_dispatcher_ = nullptr;
+  DiscardResourceProvider();

  if (context_) {
    UMA_HISTOGRAM_BOOLEAN("Blink.Canvas.HasRendered", bool(ResourceProvider()));