Issue 873844 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	mek@chromium.org
Closed:	Aug 14
Components:	Blink>Storage>FileAPI
EstimatedDays:	----
NextAction:	----
OS:	Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri:	2
Type:	Bug

Possible user-after-free in FileReaderLoader

Project Member Reported by mek@chromium.org, Aug 13

Issue description

FileReaderLoader::OnReceivedData calls out to its FileReaderLoaderClient. The client could in response delete the FileReaderLoader, resulting in use-after-free in FileReaderLoader::OnDataPipeReadable (the code that called OnReceivedData).

Project Member

Comment 1 by bugdroid1@chromium.org, Aug 14

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6e40985cc73c2829077833c49851fad6281983f7

commit 6e40985cc73c2829077833c49851fad6281983f7
Author: Marijn Kruisselbrink <mek@chromium.org>
Date: Tue Aug 14 01:36:08 2018

[FileApi] Fix potential use-after-free in FileReaderLoader.

Bug:  873844 
Change-Id: Ib01659c5e072806782bae4682cd1e875d06fc40e
Reviewed-on: https://chromium-review.googlesource.com/1173485
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Daniel Murphy <dmurph@chromium.org>
Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582789}
[modify] https://crrev.com/6e40985cc73c2829077833c49851fad6281983f7/third_party/blink/renderer/core/fileapi/file_reader_loader.cc

Comment 2 by mek@chromium.org, Aug 14

Status: Fixed (was: Started)

►

Issue 873844 link

Issue metadata

Possible user-after-free in FileReaderLoader

Issue description

Comment 1 by bugdroid1@chromium.org, Aug 14

Comment 1 Deleted

Comment 2 by mek@chromium.org, Aug 14

Comment 2 Deleted

Sign in to add a comment