Fix UAF in SyntheticPointerAction
https://crrev.com/c/4241725 fixed a UAF where a gesture action causes the browser window to be closed and the gesture controller to be destroyed. It did so by checking for the controller's destruction after any click-type event dispatch and early returning to ensure we're not touching any of the gesture's members after destroying it. That CL missed one case in SyntheticPointerAction. While ForwardInputEvents does check for destruction and return GESTURE_ABORT, the call to ForwardTouchOrMouseInputEvents has some code after dispatch that will read memory belonging to |this|. This CL adds an early return in this case as well. Bug: 1427918,1394736 Change-Id: I08bf3a42f0bcaa44b2a795021fb5f8e32b35a67a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4375537 Reviewed-by:Mustaq Ahmed <mustaq@chromium.org> Commit-Queue: David Bokan <bokan@chromium.org> Cr-Commit-Position: refs/heads/main@{#1123742}
Loading
Please register or sign in to comment