11 matches found
Google Chrome M73 - Data Race in ExtensionsGuestViewMessageFilter
Google Chrome M73 - Data Race in ExtensionsGuestViewMessageFilter There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently. See the comment in the code:...
Google Chrome M73 - Double-Destruction Race in StoragePartitionService
Google Chrome M73 - Double-Destruction Race in StoragePartitionService There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from...
Google Chrome < M73 - FileSystemOperationRunner Use-After-Free Exploit
Google Chrome operation OperationID id = nextoperationid++; // TODOhttps://crbug.com/864351: Diagnostic to determine whether OperationID // wrap-around is occurring in the wild. DCHECKoperations.findid == operations.end; // ! If id already in operations, this will free operation...
Google Chrome < M73 - Data Race in ExtensionsGuestViewMessageFilter
There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently. See the comment in the code: ExtensionsGuestViewMessageFilter::ExtensionsGuestViewMessageFilter DCHECKCURRENTLYONBrowserThread::IO; // This map is...
Google Chrome < M73 - FileSystemOperationRunner Use-After-Free
There's a comment in FileSystemOperationRunner::BeginOperation OperationID FileSystemOperationRunner::BeginOperation std::uniqueptr operation OperationID id = nextoperationid++; // TODOhttps://crbug.com/864351: Diagnostic to determine whether OperationID // wrap-around is occurring in the wild...
Google Chrome < M73 - Double-Destruction Race in StoragePartitionService
There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback from the same BindingSet, which...
Google Chrome M73 - FileSystemOperationRunner Use-After-Free
Google Chrome M73 - FileSystemOperationRunner Use-After-Free There's a comment in FileSystemOperationRunner::BeginOperation OperationID FileSystemOperationRunner::BeginOperation std::uniqueptr operation OperationID id = nextoperationid++; // TODOhttps://crbug.com/864351: Diagnostic to determine...
Google Chrome < M73 - Double-Destruction Race in StoragePartitionService Exploit
Google Chrome M73 - Double-Destruction Race in StoragePartitionService There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from...
Google Chrome < M73 - MidiManagerWin Use-After-Free Exploit
Google Chrome M73 - MidiManagerWin Use-After-Free Exploit MidiManagerWin uses a similar instanceid mechanism to the TaskService implementation to ensure that delayed tasks are only executed if the MidiManager instance that they were scheduled on is still alive. However, this instanceid is an int,...
Google Chrome < M73 - Data Race in ExtensionsGuestViewMessageFilter Exploit
Google Chrome M73 - Data Race in ExtensionsGuestViewMessageFilter Exploit There appears to be a race condition in the destruction of the ExtensionsGuestViewMessageFilter if the ProcessIdToFilterMap is modified concurrently. See the comment in the code:...
Google Chrome < M73 - MidiManagerWin Use-After-Free
MidiManagerWin uses a similar instanceid mechanism to the TaskService implementation to ensure that delayed tasks are only executed if the MidiManager instance that they were scheduled on is still alive. However, this instanceid is an int, and there is no check that it hasn't overflowed, unlike i...