diff options
| author | Raymond Toy <rtoy@chromium.org> | 2020-03-16 05:58:01 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:38:00 +0000 |
| commit | 72d0936150ffc54889e27329c51f6c1382ccf63d (patch) | |
| tree | 92670462e898825d6df1f7c567716cbe0410272a | |
| parent | 8f4cef2a9d94930d02e254e054f8a9d0796e2422 (diff) | |
| download | qtwebengine-chromium-72d0936150ffc54889e27329c51f6c1382ccf63d.tar.gz | |
[Backport] CVE-2020-6428: Use after free in audio.
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2083436
https://chromium-review.googlesource.com/c/chromium/src/+/2104827
Break connections before removing from active_source_handlers_.
In DeferredTaskHandler::BreakConnections, we want to remove finished
handlers and break the connection. when a finished handler is removed
from active_source_handlers_, it might be deleted, but we were still
using that to create the connection. Instead, break the connection
first and then remove it.
Manually ran test from the bug and it passes with this change. Without
this, it failed right away.
Bug: 1057593
Change-Id: Id9254071e7860d593d6061fd395c00160002202b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc index 9fd38f0dde7..fca70458c5a 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc @@ -78,8 +78,10 @@ void DeferredTaskHandler::BreakConnections() { wtf_size_t size = finished_source_handlers_.size(); if (size > 0) { for (auto* finished : finished_source_handlers_) { - active_source_handlers_.erase(finished); + // Break connection first and then remove from the list because that can + // cause the handler to be deleted. finished->BreakConnectionWithLock(); + active_source_handlers_.erase(finished); } finished_source_handlers_.clear(); } |