[Backport] CVE-2021-21203: Use after free in Blink

lilles · mibrunin · commit 1fec1bec9bc1 · 2021-05-07T08:27:34.000Z
Cherry-pick of commit originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2792423: Don't erase InterpolationTypes used by other documents A registered custom property in one document caused the entry for the same custom property (unregistered) used in another document to be deleted, which caused a use-after-free. Only store the CSSDefaultInterpolationType for unregistered custom properties and never store registered properties in the map. They may have different types in different documents when registered. Bug: 1192054 Change-Id: I1af03d0a298795db99acc9c62f0d0fff8a5e801d Commit-Queue: Rune Lillesveen <futhark@chromium.org> Reviewed-by: Robert Flack <flackr@chromium.org> Cr-Commit-Position: refs/heads/master@{#867692} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc b/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc
@@ -76,28 +76,22 @@ const InterpolationTypes& CSSInterpolationTypesMap::Get(
   DEFINE_STATIC_LOCAL(ApplicableTypesMap, all_applicable_types_map, ());
   DEFINE_STATIC_LOCAL(ApplicableTypesMap, composited_applicable_types_map, ());
 
-  ApplicableTypesMap& applicable_types_map =
-      allow_all_animations_ ? all_applicable_types_map
-                            : composited_applicable_types_map;
-
-  auto entry = applicable_types_map.find(property);
-  bool found_entry = entry != applicable_types_map.end();
-
   // Custom property interpolation types may change over time so don't trust the
-  // applicableTypesMap without checking the registry.
+  // applicable_types_map without checking the registry. Also since the static
+  // map is shared between documents, the registered type may be different in
+  // the different documents.
   if (registry_ && property.IsCSSCustomProperty()) {
-    const auto* registration = GetRegistration(registry_.Get(), property);
-    if (registration) {
-      if (found_entry) {
-        applicable_types_map.erase(entry);
-      }
+    if (const auto* registration = GetRegistration(registry_, property))
       return registration->GetInterpolationTypes();
-    }
   }
 
-  if (found_entry) {
+  ApplicableTypesMap& applicable_types_map =
+      allow_all_animations_ ? all_applicable_types_map
+                            : composited_applicable_types_map;
+
+  auto entry = applicable_types_map.find(property);
+  if (entry != applicable_types_map.end())
     return *entry->value;
-  }
 
   std::unique_ptr<InterpolationTypes> applicable_types =
       std::make_unique<InterpolationTypes>();
