Filip/playwright
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

browser(webkit): fix use after free when context is being destroyed (#14262)

Browse source 
OverridenGeolocationProvider can be destroyed after BrowserContext. Since the provider is owned by WebGeolocationManagerProxy we now store weak pointer to it in the browser context.

Refs: #14081
This commit is contained in:
Yury Semikhatsky 2022-05-18 11:44:21 -07:00 committed by GitHub
parent d5ea1b38f0
commit 6e3b065bbe
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
browser_patches/webkit/BUILD_NUMBER
View file

@ -1,2 +1,2 @@
1645 1646
Changed: yurys@chromium.org Mon 16 May 2022 05:39:21 PM PDT Changed: yurys@chromium.org Wed 18 May 2022 11:31:37 AM PDT

27
browser_patches/webkit/patches/bootstrap.diff
View file

@ -14543,10 +14543,10 @@ index 0000000000000000000000000000000000000000..d0e11ed81a6257c011df23d5870da740
+} // namespace WebKit +} // namespace WebKit
diff --git a/Source/WebKit/UIProcess/InspectorPlaywrightAgent.cpp b/Source/WebKit/UIProcess/InspectorPlaywrightAgent.cpp diff --git a/Source/WebKit/UIProcess/InspectorPlaywrightAgent.cpp b/Source/WebKit/UIProcess/InspectorPlaywrightAgent.cpp
new file mode 100644 new file mode 100644
index 0000000000000000000000000000000000000000..1d3c9874cd78f2d881424f9e0dcbbbb23ad226fe index 0000000000000000000000000000000000000000..6039fdbcef4cc08e51a195b0c82a4cfb3a5ef8a1
--- /dev/null --- /dev/null
+++ b/Source/WebKit/UIProcess/InspectorPlaywrightAgent.cpp +++ b/Source/WebKit/UIProcess/InspectorPlaywrightAgent.cpp
@@ -0,0 +1,967 @@ @@ -0,0 +1,963 @@
+/* +/*
+ * Copyright (C) 2019 Microsoft Corporation. + * Copyright (C) 2019 Microsoft Corporation.
+ * + *
@ -14674,17 +14674,12 @@ index 0000000000000000000000000000000000000000..1d3c9874cd78f2d881424f9e0dcbbbb2
+ WebPageProxy& m_page; + WebPageProxy& m_page;
+}; +};
+ +
+class OverridenGeolocationProvider final : public API::GeolocationProvider { +class OverridenGeolocationProvider final : public API::GeolocationProvider, public CanMakeWeakPtr<OverridenGeolocationProvider> {
+ WTF_MAKE_NONCOPYABLE(OverridenGeolocationProvider);
+public: +public:
+ explicit OverridenGeolocationProvider(BrowserContext* browserContext) + OverridenGeolocationProvider()
+ : m_position(WebGeolocationPosition::create(WebCore::GeolocationPositionData())) + : m_position(WebGeolocationPosition::create(WebCore::GeolocationPositionData()))
+ , m_browserContext(browserContext)
+ { + {
+ m_browserContext->geolocationProvider = this;
+ }
+
+ ~OverridenGeolocationProvider() override {
+ m_browserContext->geolocationProvider = nullptr;
+ } + }
+ +
+ void setPosition(const Ref<WebGeolocationPosition>& position) { + void setPosition(const Ref<WebGeolocationPosition>& position) {
@ -14706,14 +14701,15 @@ index 0000000000000000000000000000000000000000..1d3c9874cd78f2d881424f9e0dcbbbb2
+ } + }
+ +
+ Ref<WebGeolocationPosition> m_position; + Ref<WebGeolocationPosition> m_position;
+ BrowserContext* m_browserContext;
+}; +};
+ +
+namespace { +namespace {
+ +
+void setGeolocationProvider(BrowserContext* browserContext) { +void setGeolocationProvider(BrowserContext* browserContext) {
+ auto provider = makeUnique<OverridenGeolocationProvider>();
+ browserContext->geolocationProvider = *provider;
+ auto* geoManager = browserContext->processPool->supplement<WebGeolocationManagerProxy>(); + auto* geoManager = browserContext->processPool->supplement<WebGeolocationManagerProxy>();
+ geoManager->setProvider(makeUnique<OverridenGeolocationProvider>(browserContext)); + geoManager->setProvider(WTFMove(provider));
+} +}
+ +
+String toBrowserContextIDProtocolString(const PAL::SessionID& sessionID) +String toBrowserContextIDProtocolString(const PAL::SessionID& sessionID)
@ -15649,10 +15645,10 @@ index 0000000000000000000000000000000000000000..8522b4942343d9a6f2473ea9a133d1ff
+#endif // ENABLE(REMOTE_INSPECTOR) +#endif // ENABLE(REMOTE_INSPECTOR)
diff --git a/Source/WebKit/UIProcess/InspectorPlaywrightAgentClient.h b/Source/WebKit/UIProcess/InspectorPlaywrightAgentClient.h diff --git a/Source/WebKit/UIProcess/InspectorPlaywrightAgentClient.h b/Source/WebKit/UIProcess/InspectorPlaywrightAgentClient.h
new file mode 100644 new file mode 100644
index 0000000000000000000000000000000000000000..c3ff5fb7028a03fd697fe78e3f92ef9e2527037d index 0000000000000000000000000000000000000000..c9f2d7ec888e819a49cb898803432013f6270c2a
--- /dev/null --- /dev/null
+++ b/Source/WebKit/UIProcess/InspectorPlaywrightAgentClient.h +++ b/Source/WebKit/UIProcess/InspectorPlaywrightAgentClient.h
@@ -0,0 +1,68 @@ @@ -0,0 +1,69 @@
+/* +/*
+ * Copyright (C) 2019 Microsoft Corporation. + * Copyright (C) 2019 Microsoft Corporation.
+ * + *
@ -15688,6 +15684,7 @@ index 0000000000000000000000000000000000000000..c3ff5fb7028a03fd697fe78e3f92ef9e
+#include <wtf/HashSet.h> +#include <wtf/HashSet.h>
+#include <wtf/Noncopyable.h> +#include <wtf/Noncopyable.h>
+#include <wtf/RefCounted.h> +#include <wtf/RefCounted.h>
+#include <wtf/WeakPtr.h>
+ +
+namespace WebKit { +namespace WebKit {
+ +
@ -15706,7 +15703,7 @@ index 0000000000000000000000000000000000000000..c3ff5fb7028a03fd697fe78e3f92ef9e
+ RefPtr<WebsiteDataStore> dataStore; + RefPtr<WebsiteDataStore> dataStore;
+ RefPtr<WebProcessPool> processPool; + RefPtr<WebProcessPool> processPool;
+ HashSet<WebPageProxy*> pages; + HashSet<WebPageProxy*> pages;
+ OverridenGeolocationProvider* geolocationProvider { nullptr }; + WeakPtr<OverridenGeolocationProvider> geolocationProvider;
+}; +};
+ +
+class InspectorPlaywrightAgentClient { +class InspectorPlaywrightAgentClient {