DescriptionFix a use-after-free condition in spellcheck request
SpellCheckRequest::didCancel() and SpellCheckRequest::didSucceed() call into
SpellChecker::didCheck(), which can delete the SpellCheckRequest object. After
this happens, the methods write to a private member variable in the deleted
instance. That's a use-after-free bug.
The bug was caught with help of ASAN on content shell. Content shell does not
set spellcheck client. The lack of the spellcheck client reduces the number of
references to the SpellCheckRequest object by 1. When SpellChecker::didCheck()
calls clear() on the ref-ptr of the SpellCheckRequest object, the object deletes
itself, because there're no more references to it.
The test WebFrameTest.CancelSpellingRequestCrash works by setting a NULL
spellcheck client and canceling a pending spellcheck request. This setup hits
the bug in SpellCheckRequest::didCancel(). It's not possible to hit the same bug
in SpellCheckRequest::didSucceed(), because it happens when there's no
spellcheck client, but only a spellcheck client calls didSucceed().
TEST=WebFrameTest.CancelSpellingRequestCrash
TEST=LayoutTests/editing/spelling/copy-paste-crash.html
BUG=259984
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=154357
Patch Set 1 : #
Total comments: 5
Patch Set 2 : Address comments #
Messages
Total messages: 9 (0 generated)
|