Use-after-free vulnerability in the MutationObserver::disconnect function in core/dom/MutationObserver.cpp in the DOM implementation in Blink, as used in Google Chrome before 42.0.2311.135, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering an attempt to unregister a MutationObserver object that is not currently registered.
MutationObserver: add a check that iterating registration still exists in original set
The MutationObserver registration may be unregistered from the original set while iterating on the cloned set. Add a check so that it would only call unregister() on active registrations.
--- trunk/Source/core/dom/MutationObserver.cpp 2015/03/27 07:09:14 192654
+++ trunk/Source/core/dom/MutationObserver.cpp 2015/03/27 07:16:44 192655
@@ -156,8 +156,12 @@
m_records.clear();
InspectorInstrumentation::didClearAllMutationRecords(m_callback->executionContext(), this);
MutationObserverRegistrationSet registrations(m_registrations);
- for (auto& registration : registrations)
- registration->unregister();
+ for (auto& registration : registrations) {
+ // The registration may be already unregistered while iteration.
+ // Only call unregister if it is still in the original set.
+ if (m_registrations.contains(registration))
+ registration->unregister();
+ }
ASSERT(m_registrations.isEmpty());
}