The Vulnerability History Project

Warning: Our website does not support Internet Explorer, please use Edge instead.

Fix use-after-free of m_currentSpeechUtterance.

      SpeechSynthesis.cpp incorrectly assumed that calling
m_platformSpeechSynthesizer->cancel() would immediately call
didFinishSpeaking or speakingErrorOccurred, which would null out
m_currentSpeechUtterance. This assumption was true in WebKit/Mac, but
Chromium's platform implementation is asynchronous, so that call may
come later.

Fix the issue and simplify the logic by getting rid of the raw pointer
to the current utterance altogether. Now the RefPtr at the front of the
utterance queue is the current utterance, and the platform implementation
is allowed to fire events on utterances that are no longer in the queue.

BUG=344881
R=abarth@chromium.org

Review URL: https://codereview.chromium.org/180553004

git-svn-id: svn://svn.chromium.org/blink/trunk@168092 bbb929c8-8fbe-4397-9dbb-9b2b20218538

by Ray the Dachshund 2014-02-28 08:19:18 UTC

commit 5df5039760b6827f83f500b5040ae78654178c54

Chromium VCC CVE-2014-1700

third_party/WebKit/LayoutTests/fast/speechsynthesis/speech-synthesis-cancel-twice-expected.txt

-9

third_party/WebKit/LayoutTests/fast/speechsynthesis/speech-synthesis-cancel-twice.html

-25

third_party/WebKit/Source/modules/speech/SpeechSynthesis.cpp

+28 -33

third_party/WebKit/Source/modules/speech/SpeechSynthesis.h

+2 -4

third_party/WebKit/Source/modules/speech/testing/PlatformSpeechSynthesizerMock.cpp

+2 -10

third_party/WebKit/Source/modules/speech/testing/PlatformSpeechSynthesizerMock.h

-2