diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-14 13:22:53 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-14 12:32:53 +0000 |
| commit | f0e6f7f8a392b14c602c987534d98c3626e60ac8 (patch) | |
| tree | 5547710708644cd0b91c87450ce5e8c0a7846c94 | |
| parent | 1c7141ad185b2156e702499a5135df01c0b04f51 (diff) | |
| download | qtwebengine-chromium-f0e6f7f8a392b14c602c987534d98c3626e60ac8.tar.gz | |
[Backport] CVE-2019-13688
[Video Capture Manager] Delete all occurrences of device start requests queued.
The vulnerability indicated in crbug.com/995964 suggests that the core
issue relates to the assumption that device_start_request_queue_ can
only contain one occurrence of a controller while this might not be the
case.
This change makes sure that all occurrence of a controller are removed
from the list, instead of removing only the first found.
BUG=995964
(cherry picked from commit f33b0b8907693ef8401f631ab4c3fe7424c84aae)
Change-Id: Ice2a1da37d13339128d3d52d25daa252c5d61155
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Commit-Queue: Armando Miraglia <armax@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#694255}
Reviewed-by: Armando Miraglia <armax@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#802}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/content/browser/renderer_host/media/video_capture_manager.cc | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/chromium/content/browser/renderer_host/media/video_capture_manager.cc b/chromium/content/browser/renderer_host/media/video_capture_manager.cc index 2ac11f0dbd0..9af948a562e 100644 --- a/chromium/content/browser/renderer_host/media/video_capture_manager.cc +++ b/chromium/content/browser/renderer_host/media/video_capture_manager.cc @@ -236,16 +236,14 @@ void VideoCaptureManager::DoStopDevice(VideoCaptureController* controller) { // If start request has not yet started processing, i.e. if it is not at the // beginning of the queue, remove it from the queue. - auto request_iter = device_start_request_queue_.begin(); - if (request_iter != device_start_request_queue_.end()) { - request_iter = - std::find_if(++request_iter, device_start_request_queue_.end(), - [controller](const CaptureDeviceStartRequest& request) { - return request.controller() == controller; - }); - if (request_iter != device_start_request_queue_.end()) { - device_start_request_queue_.erase(request_iter); - return; + if (!device_start_request_queue_.empty()) { + auto second_request = std::next(device_start_request_queue_.begin()); + + for (auto it = second_request; it != device_start_request_queue_.end();) { + if (it->controller() == controller) + it = device_start_request_queue_.erase(it); + else + ++it; } } |