[Backport] CVE-2024-12694: Use after free in Compositing

szager-chromium · mibrunin · commit 4fe7f501f90d · 2025-01-22T15:20:40.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/6093379: Prevent ImageData from being reclaimed while in use Cherry-picked from: https://chromium-review.googlesource.com/c/chromium/src/+/5990752 Bug: chromium:368222741 Change-Id: If830b19287fd7c4aa07137044f23a14f8ce6912d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6093379 Reviewed-by: Prudhvikumar Bommana <pbommana@google.com> Owners-Override: Prudhvikumar Bommana <pbommana@google.com> Commit-Queue: Prudhvikumar Bommana <pbommana@google.com> Cr-Commit-Position: refs/branch-heads/6723@{#2713} Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615319 Reviewed-by: Anu Aliyas <anu.aliyas@qt.io>
diff --git a/chromium/cc/tiles/gpu_image_decode_cache.cc b/chromium/cc/tiles/gpu_image_decode_cache.cc
@@ -2401,6 +2401,9 @@ void GpuImageDecodeCache::DecodeImageIfNecessary(
 
   image_data->decode.ResetData();
 
+  // Prevent image_data from being deleted while lock is not held.
+  scoped_refptr<ImageData> image_data_holder(image_data);
+
   // Decode the image into `aux_image_data` while the lock is not held.
   DecodedAuxImageData aux_image_data[kAuxImageCount];
   {
@@ -2728,6 +2731,9 @@ void GpuImageDecodeCache::UploadImageIfNecessary_GpuCpu_YUVA(
   sk_sp<SkImage> uploaded_v_image =
       image_data->decode.image(2, AuxImage::kDefault);
 
+  // Prevent image_data from being deleted while lock is not held.
+  scoped_refptr<ImageData> image_data_holder(image_data);
+
   // For kGpu, we upload and color convert (if necessary).
   if (image_data->mode == DecodedDataMode::kGpu) {
     DCHECK(!use_transfer_cache_);
@@ -2815,6 +2821,9 @@ void GpuImageDecodeCache::UploadImageIfNecessary_GpuCpu_RGBA(
   DCHECK(!use_transfer_cache_);
   DCHECK(!image_data->info.yuva.has_value());
 
+  // Prevent image_data from being deleted while lock is not held.
+  scoped_refptr<ImageData> image_data_holder(image_data);
+
   // RGBX decoding is below.
   // For kGpu, we upload and color convert (if necessary).
   if (image_data->mode == DecodedDataMode::kGpu) {
