Use-after-free in FilePicker
Bug #1441777 reported by
Chris Coulson
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Oxide |
Fix Released
|
High
|
Olivier Tilloy | ||
| 1.6 |
Fix Released
|
High
|
Olivier Tilloy | ||
| oxide-qt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bug Description
The oxide::FilePicker class contains a pointer to the RenderViewHost that the picker is associated with. It is also a WebContentsObserver and implements WebContentsObse
However, unless I've missed something, it doesn't look like it calls WebContentsObse
The consequence of this is that RenderViewHost can be deleted (eg, by a process swap on navigation), leaving FilePicker with a dangling pointer which results in a potentially exploitable use-after-free.
CVE References
| Changed in oxide: | |
| importance: | Undecided → High |
| status: | New → Triaged |
| Changed in oxide: | |
| assignee: | nobody → Olivier Tilloy (osomon) |
| Changed in oxide: | |
| status: | Triaged → In Progress |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Changed in oxide: | |
| milestone: | none → branch-1.7 |
| Changed in oxide: | |
| status: | In Progress → Fix Released |
| Changed in oxide-qt (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in oxide-qt (Ubuntu): | |
| status: | Triaged → Fix Released |
| information type: | Private Security → Public Security |
To post a comment you must log in.
This is CVE-2015-1321