Skip to content
This repository was archived by the owner on Feb 25, 2025. It is now read-only.

[iOS] Fix use-after-free in setBinaryMessenger #44294

Merged
merged 1 commit into from
Aug 2, 2023
Merged

[iOS] Fix use-after-free in setBinaryMessenger #44294

merged 1 commit into from
Aug 2, 2023

Conversation

cbracken
Copy link
Member

@cbracken cbracken commented Aug 2, 2023

Previously, when setting the binary messenger to the current binary messenger, we were freeing the current binary messenger before setting the new (current) binary messenger, triggering a use after free.

Pre-launch Checklist

  • I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • I read the Tree Hygiene wiki page, which explains my responsibilities.
  • I read and followed the Flutter Style Guide and the C++, Objective-C, Java style guides.
  • I listed at least one issue that this PR fixes in the description above.
  • I added new tests to check the change I am making or feature I am adding, or Hixie said the PR is test-exempt. See testing the engine for instructions on writing and running engine tests.
  • I updated/added relevant documentation (doc comments with ///).
  • I signed the CLA.
  • All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.

@cbracken
[iOS] Fix use-after-free in setBinaryMessenger
27157c2 
When setting the binary messenger to the existing binary messenger, we
free the existing object before setting the new (existing) object,
triggering a use after free.
@cbracken cbracken force-pushed the ios-use-after-free branch from 8956213 to 27157c2 Compare August 2, 2023 20:28
cyanglaz
cyanglaz approved these changes Aug 2, 2023
View reviewed changes
Copy link
Contributor

@cyanglaz cyanglaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cbracken cbracken added the autosubmit Merge PR when tree becomes green via auto submit App label Aug 2, 2023
@auto-submit auto-submit bot merged commit 6a2afca into flutter:main Aug 2, 2023
@cbracken cbracken deleted the ios-use-after-free branch August 2, 2023 21:25
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 2, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 2, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
75cfd4f 
…ine#44294)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 2, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 2, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
d2bb3a1 
…ine#44294)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 2, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 2, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
ca3d9b2 
…ine#44294)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 3, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 3, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
073009f 
…ine#44294)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 3, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 3, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
dd4ab7a 
…ine#44294)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 3, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 3, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
5c8c075 
…ine#44294)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 3, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 3, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
840c97d 
…ine#44294)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 3, 2023
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 3, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
089d21c 
…ine#44294)
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Aug 3, 2023
Merged
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Aug 3, 2023
@engine-flutter-autoroll
6a2afca22 [iOS] Fix use-after-free in setBinaryMessenger (flutter/eng…
11fdf72 
…ine#44294)
fluttermirroringbot pushed a commit to flutter/flutter that referenced this pull request Aug 3, 2023
@engine-flutter-autoroll
Manual roll Flutter Engine from 9304c0074d29 to 4c1157b9da54 (24 revi…
c00d241 
…sions) (#131830)

Manual roll requested by [email protected]

flutter/engine@9304c00...4c1157b

2023-08-03 [email protected] Revert Android Hardware Texture PRs (flutter/engine#44310)
2023-08-03 [email protected] Roll Dart SDK from 87df1bbcea5e to 3b9af2825d47 (2 revisions) (flutter/engine#44308)
2023-08-03 [email protected] Roll Fuchsia Mac SDK from Hx7ap5qcoqRIknnnG... to WwFjJuQF_rpToCYPJ... (flutter/engine#44306)
2023-08-03 [email protected] Check whether the lookup of android.hardware.HardwareBuffer found a class (flutter/engine#44304)
2023-08-02 [email protected] [Impeller] Add placeholder filter input. (flutter/engine#44290)
2023-08-02 [email protected] Roll ANGLE from 6c1bab070220 to 6a09e41ce6ea (1 revision) (flutter/engine#44300)
2023-08-02 [email protected] Roll Skia from fd5bd67d532f to c0956a252f30 (1 revision) (flutter/engine#44296)
2023-08-02 [email protected] [iOS] Fix use-after-free in setBinaryMessenger (flutter/engine#44294)
2023-08-02 [email protected] Add Search Web to selection controls on iOS (flutter/engine#43324)
2023-08-02 [email protected] Improve logging in the clang-tidy script (flutter/engine#44228)
2023-08-02 [email protected] Roll ANGLE from 335c6b86d70b to 6c1bab070220 (1 revision) (flutter/engine#44291)
2023-08-02 [email protected] Roll Skia from 25f5a32367ad to fd5bd67d532f (2 revisions) (flutter/engine#44289)
2023-08-02 [email protected] Be sure to clear exceptions after a failed JNI lookup (flutter/engine#44293)
2023-08-02 [email protected] Handle deprecation of Dart_TimelineEvent Embedder API (flutter/engine#42497)
2023-08-02 [email protected] Roll Skia from ccc17f784e5d to 25f5a32367ad (4 revisions) (flutter/engine#44283)
2023-08-02 [email protected] Roll ANGLE from 01ee134bb223 to 335c6b86d70b (2 revisions) (flutter/engine#44287)
2023-08-02 [email protected] Roll Skia from 7104d0e8863f to ccc17f784e5d (2 revisions) (flutter/engine#44279)
2023-08-02 [email protected] [ios][autocorrection]disable auto-correction highlight in iOS 17 (flutter/engine#44176)
2023-08-02 [email protected] Reland Introduce TextureRegistry.ImageTexture and HardwareBufferExternalTextureGL (flutter/engine#44278)
2023-08-02 [email protected] Roll Dart SDK from afbaf4216fc8 to 87df1bbcea5e (1 revision) (flutter/engine#44276)
2023-08-02 [email protected] Roll Skia from 93764a98b866 to 7104d0e8863f (4 revisions) (flutter/engine#44273)
2023-08-02 [email protected] [Impeller] Fix leak of wrapped TextureMTL objects in the Metal embedder API (flutter/engine#44245)
2023-08-02 [email protected] Revert "Listen to window notifications to update application lifecycle" (flutter/engine#44275)
2023-08-02 [email protected] Roll Skia from 514c66ce0471 to 93764a98b866 (1 revision) (flutter/engine#44270)

Also rolling transitive DEPS:
  fuchsia/sdk/core/mac-amd64 from Hx7ap5qcoqRI to WwFjJuQF_rpT

If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/flutter-engine-flutter-autoroll
Please CC [email protected],[email protected],[email protected] on the revert to ensure that a human
is aware of the problem.

To file a bug in Flutter: https://github.com/flutter/flutter/issues/new/choose

To report a problem with the AutoRoller itself, please file a bug:
https://bugs.chromium.org/p/skia/issues/entry?template=Autoroller+Bug

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
gaaclarke pushed a commit to gaaclarke/engine that referenced this pull request Aug 30, 2023
@cbracken @gaaclarke
[iOS] Fix use-after-free in setBinaryMessenger (flutter#44294)
fdec7d7 
Previously, when setting the binary messenger to the current binary messenger, we were freeing the current binary messenger before setting the new (current) binary messenger, triggering a use after free.

[C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@cyanglaz cyanglaz cyanglaz approved these changes

@hellohuanlin hellohuanlin Awaiting requested review from hellohuanlin

Assignees
No one assigned
Labels
autosubmit Merge PR when tree becomes green via auto submit App platform-ios
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cbracken @cyanglaz