Fix CVE-2019-5786: Use-after-free in FileReader (see https://crbug.com/936448)

2025-02-16 12:10:41 +01:00 · 2019-03-07 17:25:12 -05:00 · 2019-03-07 17:25:12 -05:00 · c974488bae
commit c974488bae
parent cc1dc0f59d
2 changed files with 33 additions and 0 deletions
--- a/patch/patch.cfg
+++ b/patch/patch.cfg
@ -402,5 +402,10 @@ patches = [
    # macOS: Fix crash when showing a select popup with CefDoMessageLoopWork.
    # https://bitbucket.org/chromiumembedded/cef/issues/2495
    'name': 'message_pump_mac_2495',
+  },
+  {
+    # Fix CVE-2019-5786: Use-after-free in FileReader.
+    # https://bugs.chromium.org/p/chromium/issues/detail?id=936448
+    'name': 'blink_filereader_936448',
  }
 ]
--- a/patch/patches/blink_filereader_936448.patch
+++ b/patch/patches/blink_filereader_936448.patch
@ -0,0 +1,28 @@
+diff --git third_party/blink/renderer/core/fileapi/file_reader_loader.cc third_party/blink/renderer/core/fileapi/file_reader_loader.cc
+index 173a43dfbd05..f7f0154954d0 100644
+--- third_party/blink/renderer/core/fileapi/file_reader_loader.cc
+++ third_party/blink/renderer/core/fileapi/file_reader_loader.cc
+@@ -142,14 +142,16 @@ DOMArrayBuffer* FileReaderLoader::ArrayBufferResult() {
+   if (!raw_data_ || error_code_)
+     return nullptr;
+ 
+-  DOMArrayBuffer* result = DOMArrayBuffer::Create(raw_data_->ToArrayBuffer());
+-  if (finished_loading_) {
+-    array_buffer_result_ = result;
+-    AdjustReportedMemoryUsageToV8(
+-        -1 * static_cast<int64_t>(raw_data_->ByteLength()));
+-    raw_data_.reset();
+  if (!finished_loading_) {
+    return DOMArrayBuffer::Create(
+        ArrayBuffer::Create(raw_data_->Data(), raw_data_->ByteLength()));
+   }
+-  return result;
+
+  array_buffer_result_ = DOMArrayBuffer::Create(raw_data_->ToArrayBuffer());
+  AdjustReportedMemoryUsageToV8(-1 *
+                                static_cast<int64_t>(raw_data_->ByteLength()));
+  raw_data_.reset();
+  return array_buffer_result_;
+ }
+ 
+ String FileReaderLoader::StringResult() {