[Chrome] heap-use-after-free in AccountSelectionBubbleView::OnAccountImageFetched
We discussed this vulnerability during Episode 164 on 01 November 2022
Callbacks can be tricky in memory-unsafe languages, here we have the Chrome Account Selection feature creating an image view and an image fetcher. Sets up a callback function to be called once the account’s image has been fetched and passes in the raw pointer to the created image_view, the problem being that the image view may be destroyed before the callback happens.
Exploitability of the issue is somewhat questionable, seems similar to some issues we covered last week in Microsoft Edge where you had UI interactions leading to UAF.