From 2f8993cd7e47e00451a08c5c8a5cba1701eefac8 Mon Sep 17 00:00:00 2001 From: dljames Date: Thu, 16 Mar 2023 18:45:02 +0000 Subject: [PATCH] Fix move group to new window context menu UAF Fixes a bug where clicking the "Move group to new window" button in the Saved Tab Group button context menu would cause a use after free, causing the browser to crash. Change-Id: I4a71f911dde126ba57d6f9f81d65d5adf43177d0 Bug: 1424995 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4345092 Reviewed-by: Taylor Bergquist Commit-Queue: Darryl James Cr-Commit-Position: refs/heads/main@{#1118246} --- .../saved_tab_groups/saved_tab_group_button.cc | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/chrome/browser/ui/views/bookmarks/saved_tab_groups/saved_tab_group_button.cc b/chrome/browser/ui/views/bookmarks/saved_tab_groups/saved_tab_group_button.cc index 90492a6eec3cd2..b9ba2c7e9c08d7 100644 --- a/chrome/browser/ui/views/bookmarks/saved_tab_groups/saved_tab_group_button.cc +++ b/chrome/browser/ui/views/bookmarks/saved_tab_groups/saved_tab_group_button.cc @@ -9,6 +9,7 @@ #include #include "base/check.h" +#include "base/cxx20_to_address.h" #include "base/functional/bind.h" #include "base/functional/callback_forward.h" #include "chrome/app/vector_icons/vector_icons.h" @@ -273,12 +274,21 @@ void SavedTabGroupButton::TabMenuItemPressed(const GURL& url, int event_flags) { } void SavedTabGroupButton::MoveGroupToNewWindowPressed(int event_flags) { - if (!local_group_id_.has_value()) { - service_->OpenSavedTabGroupInBrowser(base::to_address(browser_), guid_); + Browser* browser = nullptr; + + if (local_group_id_.has_value()) { + // Find the browser which contains `local_group_id_` if it is open already. + browser = + service_->listener()->GetBrowserWithTabGroupId(local_group_id_.value()); + } else { + // Open the group in the current browser if it is closed. + browser = base::to_address(browser_); + service_->OpenSavedTabGroupInBrowser(browser, guid_); } + // Move the open group to a new browser window. const SavedTabGroup* group = service_->model()->Get(guid_); - browser_->tab_strip_model()->delegate()->MoveGroupToNewWindow( + browser->tab_strip_model()->delegate()->MoveGroupToNewWindow( group->local_group_id().value()); }