diff options
| author | Raymond Toy <rtoy@chromium.org> | 2020-02-26 23:21:01 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-05 14:56:33 +0000 |
| commit | 1c3145818e41790ade2060c324d233b8a6787856 (patch) | |
| tree | 6be22ce0bed8e19d090b6c79a46ac5a08458116c | |
| parent | 6c4b486ce6023ea06ea0773e3e043fb36918b695 (diff) | |
| download | qtwebengine-chromium-1c3145818e41790ade2060c324d233b8a6787856.tar.gz | |
[Backport] CVE-2020-6420: Insufficient policy enforcement in media
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2055989
https://chromium-review.googlesource.com/c/chromium/src/+/2075339:
MediaElementAudioSourceNode always sets is_origin_tainted
When a source changes for a MediaElementAudioSourceNode, the number of
channels and sample rate can be the same as the previous source.
However, we were skipping updating |is_origin_tainted_| in this case,
which allowed audio through even though we printed a message that CORS
prevented this.
Now always update |is_origin_tainted_| right away.
(cherry picked from commit ace7aab359d2fa00ef71e168418ae76df853445b)
Bug: 1050996
Change-Id: If1f96d95d01700a9f178a98168401c6a1f3501a6
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc index 7b7fba6f9f1..a317b839799 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc @@ -106,6 +106,13 @@ void MediaElementAudioSourceHandler::SetFormat(uint32_t number_of_channels, PrintCorsMessage(MediaElement()->currentSrc().GetString()); } + { + // Make sure |is_origin_tainted_| matches |is_tainted|. But need to + // synchronize with process() to set this. + MediaElementAudioSourceHandlerLocker locker(*this); + is_origin_tainted_ = is_tainted; + } + if (number_of_channels != source_number_of_channels_ || source_sample_rate != source_sample_rate_) { if (!number_of_channels || @@ -118,16 +125,13 @@ void MediaElementAudioSourceHandler::SetFormat(uint32_t number_of_channels, MediaElementAudioSourceHandlerLocker locker(*this); source_number_of_channels_ = 0; source_sample_rate_ = 0; - is_origin_tainted_ = is_tainted; return; } // Synchronize with process() to protect |source_number_of_channels_|, - // |source_sample_rate_|, |multi_channel_resampler_|. and - // |is_origin_tainted_|. + // |source_sample_rate_|, |multi_channel_resampler_|. MediaElementAudioSourceHandlerLocker locker(*this); - is_origin_tainted_ = is_tainted; source_number_of_channels_ = number_of_channels; source_sample_rate_ = source_sample_rate; |