[Backport] CVE-2024-12382: Use after free in Translate

fergald · mibrunin · commit 024489c023b0 · 2025-01-22T15:20:17.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/6068832: Fix callbacks in LanguageDetectionModel::NotifyModelLoaded. (cherry picked from commit 9c299bcdb77c63cc75c29c009ed035c6c223067e) Bug: 379516109 Change-Id: Idb9a853f71478fe3da8676df486076e5f87fd9f2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6054828 Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Commit-Queue: Fergal Daly <fergal@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1389623} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6068832 Commit-Queue: Prudhvikumar Bommana <pbommana@google.com> Auto-Submit: Fergal Daly <fergal@chromium.org> Reviewed-by: Alexander Bolodurin <alexbn@chromium.org> Cr-Commit-Position: refs/branch-heads/6723@{#2690} Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/611749 Reviewed-by: Anu Aliyas <anu.aliyas@qt.io>
diff --git a/chromium/components/language_detection/core/language_detection_model.cc b/chromium/components/language_detection/core/language_detection_model.cc
@@ -299,11 +299,17 @@ void LanguageDetectionModel::AddOnModelLoadedCallback(
 }
 
 void LanguageDetectionModel::NotifyModelLoaded() {
-  for (auto&& callback_ : model_loaded_callbacks_) {
-    std::move(callback_).Run(*this);
+  std::vector<ModelLoadedCallback> model_loaded_callbacks;
+
+  // Since the callbacks could result in modification of
+  // `model_loaded_callbacks_`, it's not safe to iterate over the member.
+  // TODO(https://crbug.com/381461495): Post a task for each callback.
+  model_loaded_callbacks.swap(model_loaded_callbacks_);
+
+  for (auto&& callback : model_loaded_callbacks) {
+    std::move(callback).Run(*this);
   }
   loaded_ = true;
-  model_loaded_callbacks_.clear();
 }
 
 }  // namespace language_detection

Original file line number	Diff line number	Diff line change
`@@ -299,11 +299,17 @@ void LanguageDetectionModel::AddOnModelLoadedCallback(`
`299`	`299`	`}`
`300`	`300`
`301`	`301`	`void LanguageDetectionModel::NotifyModelLoaded() {`
`302`		`- for (auto&& callback_ : model_loaded_callbacks_) {`
`303`		`- std::move(callback_).Run(*this);`
	`302`	`+ std::vector<ModelLoadedCallback> model_loaded_callbacks;`
	`303`	`+`
	`304`	`+ // Since the callbacks could result in modification of`
	`305`	+ // `model_loaded_callbacks_`, it's not safe to iterate over the member.
	`306`	`+ // TODO(https://crbug.com/381461495): Post a task for each callback.`
	`307`	`+ model_loaded_callbacks.swap(model_loaded_callbacks_);`
	`308`	`+`
	`309`	`+ for (auto&& callback : model_loaded_callbacks) {`
	`310`	`+ std::move(callback).Run(*this);`
`304`	`311`	`}`
`305`	`312`	`loaded_ = true;`
`306`		`- model_loaded_callbacks_.clear();`
`307`	`313`	`}`
`308`	`314`
`309`	`315`	`} // namespace language_detection`