[Backport] CVE-2019-13695

[merge m77] media: Keep |cdm_context_ref_| in mojo media services on failure When unexpected failure happens, we expect the service to stay in a valid state. (cherry picked from commit d496219fd9061eaba1be73be05f8fac1dda86a27) Bug: 1004730 Test: Manually tested Change-Id: Ib35035705e4604b9aa8cf5212de07bc1069e73d4 Commit-Queue: Xiaohan Wang <xhwang@chromium.org> Reviewed-by: John Rummell <jrummell@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#697907} Reviewed-by: Xiaohan Wang <xhwang@chromium.org> Cr-Commit-Position: refs/branch-heads/3865@{#843} Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094} Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-10-14 13:35:38 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-10-14 13:31:51 +0000
commit: b41d57627c005a1b2f093b944787c5dde16b235b (patch)
tree: 2d5e3efdeecfd5e89ba0dbad4a1738c37d27b28f
parent: cc18c848e1741271d5d0f01e67b560ee99b902a2 (diff)
download: qtwebengine-chromium-b41d57627c005a1b2f093b944787c5dde16b235b.tar.gz
3 files changed, 15 insertions, 6 deletions
diff --git a/chromium/media/mojo/services/mojo_audio_decoder_service.cc b/chromium/media/mojo/services/mojo_audio_decoder_service.cc
index eba8b656e92..68ec4f9eb74 100644
--- a/chromium/media/mojo/services/mojo_audio_decoder_service.cc
+++ b/chromium/media/mojo/services/mojo_audio_decoder_service.cc
@@ -41,13 +41,16 @@ void MojoAudioDecoderService::Initialize(const AudioDecoderConfig& config,
   // Get CdmContext from cdm_id if the stream is encrypted.
   CdmContext* cdm_context = nullptr;
   if (config.is_encrypted()) {
-    cdm_context_ref_ = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
-    if (!cdm_context_ref_) {
+    auto cdm_context_ref = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
+    if (!cdm_context_ref) {
       DVLOG(1) << "CdmContextRef not found for CDM id: " << cdm_id;
       std::move(callback).Run(false, false);
       return;
     }
 
+    // |cdm_context_ref_| must be kept as long as |cdm_context| is used by the
+    // |decoder_|.
+    cdm_context_ref_ = std::move(cdm_context_ref);
     cdm_context = cdm_context_ref_->GetCdmContext();
     DCHECK(cdm_context);
   }
diff --git a/chromium/media/mojo/services/mojo_renderer_service.cc b/chromium/media/mojo/services/mojo_renderer_service.cc
index 7afa721f531..f0cfeb6726d 100644
--- a/chromium/media/mojo/services/mojo_renderer_service.cc
+++ b/chromium/media/mojo/services/mojo_renderer_service.cc
@@ -132,13 +132,16 @@ void MojoRendererService::SetCdm(int32_t cdm_id, SetCdmCallback callback) {
     return;
   }
 
-  cdm_context_ref_ = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
-  if (!cdm_context_ref_) {
+  auto cdm_context_ref = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
+  if (!cdm_context_ref) {
     DVLOG(1) << "CdmContextRef not found for CDM ID: " << cdm_id;
     std::move(callback).Run(false);
     return;
   }
 
+  // |cdm_context_ref_| must be kept as long as |cdm_context| is used by the
+  // |renderer_|.
+  cdm_context_ref_ = std::move(cdm_context_ref);
   auto* cdm_context = cdm_context_ref_->GetCdmContext();
   DCHECK(cdm_context);
 
diff --git a/chromium/media/mojo/services/mojo_video_decoder_service.cc b/chromium/media/mojo/services/mojo_video_decoder_service.cc
index 4ec54f1a0fb..bbf9f015e1e 100644
--- a/chromium/media/mojo/services/mojo_video_decoder_service.cc
+++ b/chromium/media/mojo/services/mojo_video_decoder_service.cc
@@ -196,13 +196,16 @@ void MojoVideoDecoderService::Initialize(const VideoDecoderConfig& config,
   // Get CdmContext from cdm_id if the stream is encrypted.
   CdmContext* cdm_context = nullptr;
   if (cdm_id != CdmContext::kInvalidCdmId) {
-    cdm_context_ref_ = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
-    if (!cdm_context_ref_) {
+    auto cdm_context_ref = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
+    if (!cdm_context_ref) {
       DVLOG(1) << "CdmContextRef not found for CDM id: " << cdm_id;
       OnDecoderInitialized(false);
       return;
     }
 
+    // |cdm_context_ref_| must be kept as long as |cdm_context| is used by the
+    // |decoder_|.
+    cdm_context_ref_ = std::move(cdm_context_ref);
     cdm_context = cdm_context_ref_->GetCdmContext();
     DCHECK(cdm_context);
   }
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-10-14 13:35:38 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-10-14 13:31:51 +0000
commit	b41d57627c005a1b2f093b944787c5dde16b235b (patch)
tree	2d5e3efdeecfd5e89ba0dbad4a1738c37d27b28f
parent	cc18c848e1741271d5d0f01e67b560ee99b902a2 (diff)
download	qtwebengine-chromium-b41d57627c005a1b2f093b944787c5dde16b235b.tar.gz