mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions 1

fix: use a WeakPtr so we do not UAF the store in FunctionLifetimeMonitor (#22056)

Browse source
This commit is contained in:
Samuel Attard 2020-02-08 20:49:38 -08:00 committed by GitHub
parent 43592f8b71
commit dafbf04b9a
2 changed files with 21 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

4
shell/renderer/api/context_bridge/render_frame_context_bridge_store.h
View file

@ -50,6 +50,10 @@ class RenderFramePersistenceStore final : public content::RenderFrameObserver {
v8::Local<v8::Value> proxy_value); v8::Local<v8::Value> proxy_value);
v8::MaybeLocal<v8::Value> GetCachedProxiedObject(v8::Local<v8::Value> from); v8::MaybeLocal<v8::Value> GetCachedProxiedObject(v8::Local<v8::Value> from);
base::WeakPtr<RenderFramePersistenceStore> GetWeakPtr() {
return weak_factory_.GetWeakPtr();
}
private: private:
// func_id ==> { function, owning_context } // func_id ==> { function, owning_context }
std::map<size_t, FunctionContextPair> functions_; std::map<size_t, FunctionContextPair> functions_;

20
shell/renderer/api/electron_api_context_bridge.cc
View file

@ -111,25 +111,31 @@ bool IsPlainArray(const v8::Local<v8::Value>& arr) {
class FunctionLifeMonitor final : public ObjectLifeMonitor { class FunctionLifeMonitor final : public ObjectLifeMonitor {
public: public:
static void BindTo(v8::Isolate* isolate, static void BindTo(
v8::Isolate* isolate,
v8::Local<v8::Object> target, v8::Local<v8::Object> target,
context_bridge::RenderFramePersistenceStore* store, base::WeakPtr<context_bridge::RenderFramePersistenceStore> store,
size_t func_id) { size_t func_id) {
new FunctionLifeMonitor(isolate, target, store, func_id); new FunctionLifeMonitor(isolate, target, store, func_id);
} }
protected: protected:
FunctionLifeMonitor(v8::Isolate* isolate, FunctionLifeMonitor(
v8::Isolate* isolate,
v8::Local<v8::Object> target, v8::Local<v8::Object> target,
context_bridge::RenderFramePersistenceStore* store, base::WeakPtr<context_bridge::RenderFramePersistenceStore> store,
size_t func_id) size_t func_id)
: ObjectLifeMonitor(isolate, target), store_(store), func_id_(func_id) {} : ObjectLifeMonitor(isolate, target), store_(store), func_id_(func_id) {}
~FunctionLifeMonitor() override = default; ~FunctionLifeMonitor() override = default;
void RunDestructor() override { store_->functions().erase(func_id_); } void RunDestructor() override {
if (!store_)
return;
store_->functions().erase(func_id_);
}
private: private:
context_bridge::RenderFramePersistenceStore* store_; base::WeakPtr<context_bridge::RenderFramePersistenceStore> store_;
size_t func_id_; size_t func_id_;
}; };
@ -176,7 +182,7 @@ v8::MaybeLocal<v8::Value> PassValueToOtherContext(
base::BindRepeating(&ProxyFunctionWrapper, store, func_id)); base::BindRepeating(&ProxyFunctionWrapper, store, func_id));
FunctionLifeMonitor::BindTo(destination_context->GetIsolate(), FunctionLifeMonitor::BindTo(destination_context->GetIsolate(),
v8::Local<v8::Object>::Cast(proxy_func), v8::Local<v8::Object>::Cast(proxy_func),
store, func_id); store->GetWeakPtr(), func_id);
store->CacheProxiedObject(value, proxy_func); store->CacheProxiedObject(value, proxy_func);
return v8::MaybeLocal<v8::Value>(proxy_func); return v8::MaybeLocal<v8::Value>(proxy_func);
} }