firefox/CVE-2020-6814-2.patch

From 235ee6bbd95335ede2a095e3e2ed67022afe7800 Mon Sep 17 00:00:00 2001
From: Perry Jiang <perry@mozilla.com>
Date: Wed, 19 Feb 2020 17:56:08 +0000
Subject: [PATCH] Bug 1604847 - let ClientSourceOpChild finish
initialization
 r=dom-workers-and-storage-reviewers,asuth

Differential Revision: https://phabricator.services.mozilla.com/D63239

--HG--
extra : moz-landing-system : lando
---
 dom/clients/manager/ClientSourceChild.cpp   |  2 +-
 dom/clients/manager/ClientSourceOpChild.cpp | 28 ++++++++++++++++++++-
 dom/clients/manager/ClientSourceOpChild.h   | 22 ++++++++++------
 3 files changed, 43 insertions(+), 9 deletions(-)

diff --git a/dom/clients/manager/ClientSourceChild.cpp b/dom/clients/manager/ClientSourceChild.cpp
index 0f13a63..e4a8330 100644
--- a/dom/clients/manager/ClientSourceChild.cpp
+++ b/dom/clients/manager/ClientSourceChild.cpp
@@ -37,7 +37,7 @@ ClientSourceChild::AllocPClientSourceOpChild(const ClientOpConstructorArgs& aArg
 bool
 ClientSourceChild::DeallocPClientSourceOpChild(PClientSourceOpChild* aActor)
 {
-  delete aActor;
+  static_cast<ClientSourceOpChild*>(aActor)->ScheduleDeletion();
   return true;
 }
 
diff --git a/dom/clients/manager/ClientSourceOpChild.cpp b/dom/clients/manager/ClientSourceOpChild.cpp
index dff99d2..b19787f 100644
--- a/dom/clients/manager/ClientSourceOpChild.cpp
+++ b/dom/clients/manager/ClientSourceOpChild.cpp
@@ -8,6 +8,7 @@
 
 #include "ClientSource.h"
 #include "ClientSourceChild.h"
+#include "mozilla/Assertions.h"
 #include "mozilla/Unused.h"
 
 namespace mozilla {
@@ -72,7 +73,7 @@ ClientSourceOpChild::DoSourceOp(Method aMethod, const Args& aArgs)
 void
 ClientSourceOpChild::ActorDestroy(ActorDestroyReason aReason)
 {
-  mPromiseRequestHolder.DisconnectIfExists();
+  Cleanup();
 }
 
 void
@@ -111,6 +112,31 @@ ClientSourceOpChild::Init(const ClientOpConstructorArgs& aArgs)
       break;
     }
   }
+
+  mInitialized.Flip();
+
+  if (mDeletionRequested) {
+    Cleanup();
+    delete this;
+  }
+}
+
+void ClientSourceOpChild::ScheduleDeletion() {
+  if (mInitialized) {
+    Cleanup();
+    delete this;
+    return;
+  }
+
+  mDeletionRequested.Flip();
+}
+
+ClientSourceOpChild::~ClientSourceOpChild() {
+  MOZ_DIAGNOSTIC_ASSERT(mInitialized);
+}
+
+void ClientSourceOpChild::Cleanup() {
+  mPromiseRequestHolder.DisconnectIfExists();
 }
 
 } // namespace dom
diff --git a/dom/clients/manager/ClientSourceOpChild.h b/dom/clients/manager/ClientSourceOpChild.h
index 1132353..7f30eb0 100644
--- a/dom/clients/manager/ClientSourceOpChild.h
+++ b/dom/clients/manager/ClientSourceOpChild.h
@@ -6,6 +6,7 @@
 #ifndef _mozilla_dom_ClientSourceOpChild_h
 #define _mozilla_dom_ClientSourceOpChild_h
 
+#include "mozilla/dom/FlippedOnce.h"
 #include "mozilla/dom/PClientSourceOpChild.h"
 #include "ClientOpPromise.h"
 
@@ -16,7 +17,17 @@ class ClientSource;
 
 class ClientSourceOpChild final : public PClientSourceOpChild
 {
-  MozPromiseRequestHolder<ClientOpPromise> mPromiseRequestHolder;
+ public:
+  void Init(const ClientOpConstructorArgs& aArgs);
+
+  // Deletes "this" after initialization (or immediately if already
+  // initialized.) It's UB to use "this" after calling ScheduleDeletion.
+  void ScheduleDeletion();
+
+ private:
+  ~ClientSourceOpChild();
+
+  void Cleanup();
 
   ClientSource*
   GetSource() const;
@@ -29,12 +40,9 @@ class ClientSourceOpChild final : public PClientSourceOpChild
   void
   ActorDestroy(ActorDestroyReason aReason) override;
 
-public:
-  ClientSourceOpChild() = default;
-  ~ClientSourceOpChild() = default;
-
-  void
-  Init(const ClientOpConstructorArgs& aArgs);
+  MozPromiseRequestHolder<ClientOpPromise> mPromiseRequestHolder;
+  FlippedOnce<false> mDeletionRequested;
+  FlippedOnce<false> mInitialized;
 };
 
 } // namespace dom
-- 
2.23.0