Commit 7ee750f
[Backport] CVE-2021-21207: Use after free in IndexedDB
Manual backport and adaptation to BindingSet of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2778871:
Never fail in ReceiverSet::Add
Because of how UniqueReceiverSet is implemented and used, it is
dangerous to allow Add() to fail: callers reasonably assume that added
objects are still alive immediately after the Add() call.
This changes ReceiverId to a uint64 and simply CHECK-fails on
insert collision.
This fundamentally increases binary size of 32-bit builds, because
a widely used 32-bit data type is expanding to 64 bits for the sake
of security and stability. It is effectively unavoidable for now, and
also just barely above the tolerable threshold.
A follow-up (but less backwards-mergeable) change should be able to
reduce binary size beyond this increase by consolidating shared
code among ReceiverSet template instantiations.
Fixed: 1185732
Change-Id: I9acf6aaaa36e10fdce5aa49a890173caddc13c52
Binary-Size: Unavoidable (see above)
Commit-Queue: Ken Rockot <[email protected]>
Auto-Submit: Ken Rockot <[email protected]>
Reviewed-by: Robert Sesek <[email protected]>
Cr-Commit-Position: refs/heads/master@{#865815}
Reviewed-by: Allan Sandfeld Jensen <[email protected]>1 parent 4bf755e commit 7ee750f
1 file changed
+3
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
38 | | - | |
| 38 | + | |
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
| |||
279 | 279 | | |
280 | 280 | | |
281 | 281 | | |
282 | | - | |
283 | 282 | | |
284 | 283 | | |
285 | | - | |
| 284 | + | |
| 285 | + | |
286 | 286 | | |
287 | 287 | | |
288 | 288 | | |
| |||
0 commit comments