Fix Null-dereference READ in scoped_refptr<mojo::SimpleWatcher::Context>::operator bool

ClusterFuzz found null-dereference READ in scoped_refptr<mojo::SimpleWatcher::Context>::operator bool. This bug already existed before HeapMojo wrappers were introduced. We are not sure the root cause, but HeapMojo wrappers could sanitize the issue. Bug: 1049056, 1079286 Change-Id: I9f0fae6921024525891841bc942ac3a521a0a015 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2208780Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Keishi Hattori <keishi@chromium.org> Commit-Queue: Minoru Chikamune <chikamune@chromium.org> Cr-Commit-Position: refs/heads/master@{#770808}

Fix Null-dereference READ in scoped_refptr<mojo::SimpleWatcher::Context>::operator bool
ClusterFuzz found null-dereference READ in scoped_refptr<mojo::SimpleWatcher::Context>::operator bool. This bug already existed before HeapMojo wrappers were introduced. We are not sure the root cause, but HeapMojo wrappers could sanitize the issue. Bug: 1049056, 1079286 Change-Id: I9f0fae6921024525891841bc942ac3a521a0a015 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2208780Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Keishi Hattori <keishi@chromium.org> Commit-Queue: Minoru Chikamune <chikamune@chromium.org> Cr-Commit-Position: refs/heads/master@{#770808}
b8e5a41e · Minoru Chikamune · Commit Bot · cfabb5a3 · b8e5a41e
Commit b8e5a41e authored May 20, 2020 by Minoru Chikamune Committed by Commit Bot May 20, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 8 deletions

third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h ...link/renderer/modules/filesystem/file_system_dispatcher.h +2 -8

No files found.
--- a/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h
+++ b/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h
@@ -13,7 +13,6 @@
 #include "third_party/blink/renderer/platform/heap/handle.h"
 #include "third_party/blink/renderer/platform/mojo/heap_mojo_remote.h"
 #include "third_party/blink/renderer/platform/mojo/heap_mojo_unique_receiver_set.h"
-#include "third_party/blink/renderer/platform/mojo/heap_mojo_wrapper_mode.h"
 #include "third_party/blink/renderer/platform/supplementable.h"
 namespace WTF {
@@ -200,17 +199,12 @@ class FileSystemDispatcher : public GarbageCollected<FileSystemDispatcher>,
  void Prefinalize();
-  HeapMojoRemote<mojom::blink::FileSystemManager,
+  HeapMojoRemote<mojom::blink::FileSystemManager> file_system_manager_;
-                 HeapMojoWrapperMode::kWithoutContextObserver>
-      file_system_manager_;
  using OperationsMap =
      HashMap<int, mojo::Remote<mojom::blink::FileSystemCancellableOperation>>;
  OperationsMap cancellable_operations_;
  int next_operation_id_;
-  HeapMojoUniqueReceiverSet<
+  HeapMojoUniqueReceiverSet<mojom::blink::FileSystemOperationListener>
-      mojom::blink::FileSystemOperationListener,
-      std::default_delete<mojom::blink::FileSystemOperationListener>,
-      HeapMojoWrapperMode::kWithoutContextObserver>
      op_listeners_;
 };