diff options
| author | Hongchan Choi <hongchan@chromium.org> | 2020-03-16 05:52:36 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:38:05 +0000 |
| commit | 2a9a1c057d8984ba9fc25e2dd8b5fe6c58e5ea3b (patch) | |
| tree | 4304a8d9121fc38feea94264a20781252737c0e6 | |
| parent | 72d0936150ffc54889e27329c51f6c1382ccf63d (diff) | |
| download | qtwebengine-chromium-2a9a1c057d8984ba9fc25e2dd8b5fe6c58e5ea3b.tar.gz | |
[Backport] CVE-2020-6429: Use after free in audio.
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2082897
https://chromium-review.googlesource.com/c/chromium/src/+/2104662
Use SupportsWeakPtr for messaging from rendering thread to main thread
In cross-thread messaging, the associated execution context can be
already gone when a posted task is performed sometime later in the task
runner's queue.
By using WeakPtr, the task runner will not perform a scheduled task
in the queue when the target object is invalid.
Test: Locally confirmed that the repro does not crash.
Bug: 1057627
Change-Id: Ia794fe220ac9868584be4d3993790293daf52c8a
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc | 2 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h | 5 |
2 files changed, 5 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc index 590ffe30c6e..4e288e94ff5 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc @@ -259,7 +259,7 @@ void AudioScheduledSourceHandler::Finish() { PostCrossThreadTask( *task_runner_, FROM_HERE, CrossThreadBindOnce(&AudioScheduledSourceHandler::NotifyEnded, - WrapRefCounted(this))); + AsWeakPtr())); } void AudioScheduledSourceHandler::NotifyEnded() { diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h b/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h index 2fdb9bac867..d526a776c4c 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h +++ b/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h @@ -30,6 +30,7 @@ #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_AUDIO_SCHEDULED_SOURCE_NODE_H_ #include <atomic> +#include "base/memory/weak_ptr.h" #include "third_party/blink/renderer/bindings/core/v8/active_script_wrappable.h" #include "third_party/blink/renderer/modules/webaudio/audio_node.h" @@ -38,7 +39,9 @@ namespace blink { class BaseAudioContext; class AudioBus; -class AudioScheduledSourceHandler : public AudioHandler { +class AudioScheduledSourceHandler + : public AudioHandler, + public base::SupportsWeakPtr<AudioScheduledSourceHandler> { public: // These are the possible states an AudioScheduledSourceNode can be in: // |