diff options
| author | Ilya Nikolaevskiy <ilnik@chromium.org> | 2022-11-14 12:33:49 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-12-06 15:45:19 +0000 |
| commit | b658b4883ee4f766046c82c2cba742b43a92bad5 (patch) | |
| tree | 09d95d847b40ed957f30ebc4254f2e5e939eeb7c | |
| parent | 0e3a1457be9fbe2b52cba52a12a9b1f4ca3ee646 (diff) | |
| download | qtwebengine-chromium-b658b4883ee4f766046c82c2cba742b43a92bad5.tar.gz | |
[Backport] CVE-2022-4175: Use after free in Camera Capture
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4023295:
Fix UAF in VideoCaptureDeviceWin::FrameReceived
(cherry picked from commit d08a3822658cb4ca4261659f1487069a14b51bd9)
Bug: 1381401
Change-Id: Ib742ec7b86d3c419f37f12694bf9cd5f3f03305c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4013158
Reviewed-by: Markus Handell <handellm@google.com>
Commit-Queue: Ilya Nikolaevskiy <ilnik@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1069054}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4023295
Cr-Commit-Position: refs/branch-heads/5359@{#809}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/446481
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/media/capture/video/win/video_capture_device_win.cc | 43 |
1 files changed, 22 insertions, 21 deletions
diff --git a/chromium/media/capture/video/win/video_capture_device_win.cc b/chromium/media/capture/video/win/video_capture_device_win.cc index df0aef940a0..b220ded61ed 100644 --- a/chromium/media/capture/video/win/video_capture_device_win.cc +++ b/chromium/media/capture/video/win/video_capture_device_win.cc @@ -866,34 +866,35 @@ void VideoCaptureDeviceWin::FrameReceived(const uint8_t* buffer, const VideoCaptureFormat& format, base::TimeDelta timestamp, bool flip_y) { + // We always calculate camera rotation for the first frame. We also cache + // the latest value to use when AutoRotation is turned off. + // To avoid potential deadlock, do this without holding a lock. + if (!camera_rotation_.has_value() || IsAutoRotationEnabled()) + camera_rotation_ = GetCameraRotation(device_descriptor_.facing); + { base::AutoLock lock(lock_); if (state_ != kCapturing) return; - } - if (first_ref_time_.is_null()) - first_ref_time_ = base::TimeTicks::Now(); + if (first_ref_time_.is_null()) + first_ref_time_ = base::TimeTicks::Now(); - // There is a chance that the platform does not provide us with the timestamp, - // in which case, we use reference time to calculate a timestamp. - if (timestamp == kNoTimestamp) - timestamp = base::TimeTicks::Now() - first_ref_time_; + // There is a chance that the platform does not provide us with the + // timestamp, in which case, we use reference time to calculate a timestamp. + if (timestamp == kNoTimestamp) + timestamp = base::TimeTicks::Now() - first_ref_time_; - // We always calculate camera rotation for the first frame. We also cache the - // latest value to use when AutoRotation is turned off. - if (!camera_rotation_.has_value() || IsAutoRotationEnabled()) - camera_rotation_ = GetCameraRotation(device_descriptor_.facing); - - // TODO(julien.isorce): retrieve the color space information using the - // DirectShow api, AM_MEDIA_TYPE::VIDEOINFOHEADER2::dwControlFlags. If - // AMCONTROL_COLORINFO_PRESENT, then reinterpret dwControlFlags as a - // DXVA_ExtendedFormat. Then use its fields DXVA_VideoPrimaries, - // DXVA_VideoTransferMatrix, DXVA_VideoTransferFunction and - // DXVA_NominalRangeto build a gfx::ColorSpace. See http://crbug.com/959992. - client_->OnIncomingCapturedData(buffer, length, format, gfx::ColorSpace(), - camera_rotation_.value(), flip_y, - base::TimeTicks::Now(), timestamp); + // TODO(julien.isorce): retrieve the color space information using the + // DirectShow api, AM_MEDIA_TYPE::VIDEOINFOHEADER2::dwControlFlags. If + // AMCONTROL_COLORINFO_PRESENT, then reinterpret dwControlFlags as a + // DXVA_ExtendedFormat. Then use its fields DXVA_VideoPrimaries, + // DXVA_VideoTransferMatrix, DXVA_VideoTransferFunction and + // DXVA_NominalRangeto build a gfx::ColorSpace. See http://crbug.com/959992. + client_->OnIncomingCapturedData(buffer, length, format, gfx::ColorSpace(), + camera_rotation_.value(), flip_y, + base::TimeTicks::Now(), timestamp); + } while (!take_photo_callbacks_.empty()) { TakePhotoCallback cb = std::move(take_photo_callbacks_.front()); |