[Backport] CVE-2020-6427: Use after free in audio.

Manual backport of patch originally reviewed on: https://chromium-review.googlesource.com/c/chromium/src/+/2074807 https://chromium-review.googlesource.com/c/chromium/src/+/2104664 Use WeakPtr for cross-thread posting {IIR,Biquad}FilterNodes check the state of the filter and notify the main thread when it goes bad. In this process, the associated context can be collected when a posted task is performed sometime later in the task runner's queue. By using WeakPtr, the task runner will not perform a scheduled task in the queue when the target object is invalid anymore. (cherry picked from commit 2cd0af7ea20547c2471483ef2233f3b068db93c3) Test: Locally confirmed that the repro case does not crash after 30 min. Bug: 1055788 Change-Id: I23e001ad6e900631d0e9e475f690c57f63639dcc Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Hongchan Choi <hongchan@chromium.org> 2020-03-16 06:07:19 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-24 08:37:55 +0000
commit: 8f4cef2a9d94930d02e254e054f8a9d0796e2422 (patch)
tree: e17e4c5bcdeb8566316af738a97ad4d33e654f25
parent: c110d4f93dfd89bdddfbc5b2181bbc698db7f6d5 (diff)
download: qtwebengine-chromium-8f4cef2a9d94930d02e254e054f8a9d0796e2422.tar.gz
4 files changed, 11 insertions, 6 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc
index 00d2b9b6ef3..948c3df2b57 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc
@@ -88,7 +88,7 @@ void BiquadFilterHandler::Process(uint32_t frames_to_process) {
       PostCrossThreadTask(
           *task_runner_, FROM_HERE,
           CrossThreadBindOnce(&BiquadFilterHandler::NotifyBadState,
-                              WrapRefCounted(this)));
+                              AsWeakPtr()));
     }
   }
 }
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h b/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h
index 7ed45955908..a269039bdf4 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h
+++ b/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h
@@ -26,6 +26,7 @@
 #ifndef THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_BIQUAD_FILTER_NODE_H_
 #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_BIQUAD_FILTER_NODE_H_
 
+#include "base/memory/weak_ptr.h"
 #include "third_party/blink/renderer/core/typed_arrays/array_buffer_view_helpers.h"
 #include "third_party/blink/renderer/core/typed_arrays/dom_typed_array.h"
 #include "third_party/blink/renderer/modules/webaudio/audio_basic_processor_handler.h"
@@ -38,7 +39,8 @@ class BaseAudioContext;
 class AudioParam;
 class BiquadFilterOptions;
 
-class BiquadFilterHandler : public AudioBasicProcessorHandler {
+class BiquadFilterHandler : public AudioBasicProcessorHandler ,
+                            public base::SupportsWeakPtr<BiquadFilterHandler> {
  public:
   static scoped_refptr<BiquadFilterHandler> Create(AudioNode&,
                                                    float sample_rate,
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc
index 88b1026d6e4..513b38c851c 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc
@@ -104,9 +104,9 @@ void IIRFilterHandler::Process(uint32_t frames_to_process) {
     if (HasNonFiniteOutput()) {
       did_warn_bad_filter_state_ = true;
 
-      PostCrossThreadTask(*task_runner_, FROM_HERE,
-                          CrossThreadBindOnce(&IIRFilterHandler::NotifyBadState,
-                                              WrapRefCounted(this)));
+      PostCrossThreadTask(
+          *task_runner_, FROM_HERE,
+          CrossThreadBindOnce(&IIRFilterHandler::NotifyBadState, AsWeakPtr()));
     }
   }
 }
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.h b/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.h
index dc049ae5cc7..2609f1bafc2 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.h
+++ b/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.h
@@ -5,6 +5,7 @@
 #ifndef THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_IIR_FILTER_NODE_H_
 #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_IIR_FILTER_NODE_H_
 
+#include "base/memory/weak_ptr.h"
 #include "base/single_thread_task_runner.h"
 #include "third_party/blink/renderer/core/typed_arrays/array_buffer_view_helpers.h"
 #include "third_party/blink/renderer/core/typed_arrays/dom_typed_array.h"
@@ -18,7 +19,9 @@ class BaseAudioContext;
 class ExceptionState;
 class IIRFilterOptions;
 
-class IIRFilterHandler : public AudioBasicProcessorHandler {
+class IIRFilterHandler : public AudioBasicProcessorHandler,
+                         public base::SupportsWeakPtr<IIRFilterHandler> {
+
  public:
   static scoped_refptr<IIRFilterHandler> Create(
       AudioNode&,
author	Hongchan Choi <hongchan@chromium.org>	2020-03-16 06:07:19 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-24 08:37:55 +0000
commit	8f4cef2a9d94930d02e254e054f8a9d0796e2422 (patch)
tree	e17e4c5bcdeb8566316af738a97ad4d33e654f25
parent	c110d4f93dfd89bdddfbc5b2181bbc698db7f6d5 (diff)
download	qtwebengine-chromium-8f4cef2a9d94930d02e254e054f8a9d0796e2422.tar.gz