Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Factory
nodejs-electron
RenderFrameHostImpl-use-after-free.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File RenderFrameHostImpl-use-after-free.patch of Package nodejs-electron
--- src/content/browser/renderer_host/render_frame_host_impl.cc.orig 2023-02-08 21:38:09.974003318 +0100 +++ src/content/browser/renderer_host/render_frame_host_impl.cc 2023-02-13 14:13:50.217792624 +0100 @@ -8,6 +8,7 @@ #include <deque> #include <limits> #include <memory> +#include <new> #include <optional> #include <string_view> #include <tuple> @@ -1818,7 +1819,12 @@ RenderFrameHostImpl::~RenderFrameHostImp // `DocumentService` and `RenderFrameHostUserData` subclasses are still valid // when their destructors run. document_associated_data_->RemoveAllServices(); - document_associated_data_.reset(); + // HACK: Using .reset() here works on MSVC and LLVM libc++ because the std::optional + // is still valid while the destructor runs. This does not work on GNU libstdc++ + // however which invalidates the optional before calling the destructor, causing a crash. + // Upstream bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1415154 + document_associated_data_->~DocumentAssociatedData(); + new(&document_associated_data_) std::optional<DocumentAssociatedData>(std::nullopt); // If this was the last active frame in the SiteInstanceGroup, the // DecrementActiveFrameCount call will trigger the deletion of the @@ -13254,7 +13260,9 @@ bool RenderFrameHostImpl::DidCommitNavig // RenderFrameHost commits before the navigation commits. This happens // when the current RenderFrameHost crashes before navigating to a new // URL. - document_associated_data_.emplace(*this, + // bsc#1227307 — same root cause as above + document_associated_data_->~DocumentAssociatedData(); + new(&document_associated_data_) std::optional<DocumentAssociatedData>(std::in_place, *this, navigation_request->GetDocumentToken()); } else { // Cross-RenderFrameHost navigations that commit into a speculative
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor