[Backport] CVE-2019-13687

[Video Capture Manager] Convert pointers from Unretained to WeakPtr. This CL replaces the usage of unretained pointers with weak pointers in VideoCaptureManager. This conversion is safe because all places where the pointers are saved are on the IO thread as well as the place were the callbacks are then executed (see line 326 and 348). BUG=998548 (cherry picked from commit b740a6052b00ebeec4bdc3044a130aab0c64ab05) Change-Id: I47bda798fa7bcbd66bf23682ee6c6dd26b5642c1 Reviewed-by: Guido Urdaneta <guidou@chromium.org> Commit-Queue: Armando Miraglia <armax@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#694214} Reviewed-by: Armando Miraglia <armax@chromium.org> Cr-Commit-Position: refs/branch-heads/3865@{#801} Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094} Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-10-14 13:23:51 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-10-14 12:33:07 +0000
commit: 495b2ebcd9d3ea3ee5893dad4d66333862eda493 (patch)
tree: a73d862a5adcae3d951322482b2a413d77a386ac
parent: f0e6f7f8a392b14c602c987534d98c3626e60ac8 (diff)
download: qtwebengine-chromium-495b2ebcd9d3ea3ee5893dad4d66333862eda493.tar.gz
1 files changed, 4 insertions, 5 deletions
diff --git a/chromium/content/browser/renderer_host/media/video_capture_manager.cc b/chromium/content/browser/renderer_host/media/video_capture_manager.cc
index 9af948a562e..caef5bf8b23 100644
--- a/chromium/content/browser/renderer_host/media/video_capture_manager.cc
+++ b/chromium/content/browser/renderer_host/media/video_capture_manager.cc
@@ -637,8 +637,7 @@ void VideoCaptureManager::GetPhotoState(
     media::VideoCaptureDevice::GetPhotoStateCallback callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
 
-  const VideoCaptureController* controller =
-      LookupControllerBySessionId(session_id);
+  VideoCaptureController* controller = LookupControllerBySessionId(session_id);
   if (!controller)
     return;
   if (controller->IsDeviceAlive()) {
@@ -649,7 +648,7 @@ void VideoCaptureManager::GetPhotoState(
   photo_request_queue_.emplace_back(
       session_id,
       base::Bind(&VideoCaptureController::GetPhotoState,
-                 base::Unretained(controller), base::Passed(&callback)));
+                 controller->GetWeakPtrForIOThread(), base::Passed(&callback)));
 }
 
 void VideoCaptureManager::SetPhotoOptions(
@@ -668,7 +667,7 @@ void VideoCaptureManager::SetPhotoOptions(
   // Queue up a request for later.
   photo_request_queue_.emplace_back(
       session_id, base::Bind(&VideoCaptureController::SetPhotoOptions,
-                             base::Unretained(controller),
+                             controller->GetWeakPtrForIOThread(),
                              base::Passed(&settings), base::Passed(&callback)));
 }
 
@@ -694,7 +693,7 @@ void VideoCaptureManager::TakePhoto(
   photo_request_queue_.emplace_back(
       session_id,
       base::Bind(&VideoCaptureController::TakePhoto,
-                 base::Unretained(controller), base::Passed(&callback)));
+                 controller->GetWeakPtrForIOThread(), base::Passed(&callback)));
 }
 
 void VideoCaptureManager::OnOpened(
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-10-14 13:23:51 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-10-14 12:33:07 +0000
commit	495b2ebcd9d3ea3ee5893dad4d66333862eda493 (patch)
tree	a73d862a5adcae3d951322482b2a413d77a386ac
parent	f0e6f7f8a392b14c602c987534d98c3626e60ac8 (diff)
download	qtwebengine-chromium-495b2ebcd9d3ea3ee5893dad4d66333862eda493.tar.gz