diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-11-01 11:10:31 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-11-01 14:17:19 +0000 |
| commit | d6e5fc10e417efdf8665d9fba57c269f0534072f (patch) | |
| tree | 92868f1e4caf683782a4215bbc3bba2590bafd74 | |
| parent | da37c1e0c517506ab6c3c49f8e432da95464e13d (diff) | |
| download | qtwebengine-chromium-73-based.tar.gz | |
[Backport] Fix for CVE-2019-1372073-based
Obtain graph/process lock when nullifying the buffer in Reverb
When the buffer is set to `null` while there is an active buffer
within a reverb object, SetBuffer() function can prematurely
nullify the `reverb_` and `shared_buffer_` while it is still
being accessed by the rendering thread.
This CL adds two locks (graph lock and process lock) when the
buffer gets nullified to ensure the synchronization between
two threads.
(cherry picked from commit 6a2e670a243b815cf043f8da4d26ecb9a64d307b)
Change-Id: I8f501b6a16b3c7e16db767e0b279a1a53d6eb290
Bug: 1019226
Reviewed-on:
https://chromium-review.googlesource.com/c/chromium/src/+/1888103
Commit-Queue: Hongchan Choi <hongchan@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#710627}
Reviewed-on:
https://chromium-review.googlesource.com/c/chromium/src/+/1889510
Reviewed-by: Krishna Govind <govind@chromium.org>
Cr-Commit-Position: refs/branch-heads/3953@{#8}
Cr-Branched-From:
b5ceb94d4b9a2f629c84df1be72f9e3d0a79fd2d-refs/heads/master@{#710313}
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc index a0c05beab71..066ed521d09 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc @@ -95,6 +95,8 @@ void ConvolverHandler::SetBuffer(AudioBuffer* buffer, DCHECK(IsMainThread()); if (!buffer) { + BaseAudioContext::GraphAutoLocker context_locker(Context()); + MutexLocker locker(process_lock_); reverb_.reset(); buffer_ = buffer; return; |