GHSA-8x5q-pvf5-64mp
Electron: Use-after-free in offscreen shared texture release() callback
상세
### Impact Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the `release()` callback provided on a `paint` event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.
Apps are only affected if they use offscreen rendering with `webPreferences.offscreen: { useSharedTexture: true }`. Apps that do not enable shared-texture offscreen rendering are not affected.
### Workarounds Ensure `texture.release()` is called promptly after the texture has been consumed, before the texture object becomes unreachable.
### Fixed Versions * `42.0.0-alpha.5` * `41.1.0` * `40.8.5` * `39.8.5`
### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
42.0.0-alpha.1 수정 버전: 42.0.0-alpha.5 npm install electron@42.0.0-alpha.5