diff options
| author | Raymond Toy <rtoy@chromium.org> | 2020-03-16 18:26:41 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:38:10 +0000 |
| commit | 9aabebeb69be9c62ded34e81217f648b0fa1c7d2 (patch) | |
| tree | 8993063eb556201fff9557790a6cde32cd187eca | |
| parent | 2a9a1c057d8984ba9fc25e2dd8b5fe6c58e5ea3b (diff) | |
| download | qtwebengine-chromium-9aabebeb69be9c62ded34e81217f648b0fa1c7d2.tar.gz | |
[Backport] CVE-2020-6449: Use after free in audio.
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2098260
https://chromium-review.googlesource.com/c/chromium/src/+/2104992
Make finished_source_handlers_ hold scoped_refptrs
Previously, finished_source_handlers_ held raw pointers to
AudioHandlers and assumed that active_source_handlers_ also had a
copy. But when the context goes away, active_source_handlers_ would
be cleared, but not finished_source_handlers_, leaving pointers to
deleted objects.
So do two things:
1. Change finished_source_handlers_ to hold scoped_refptrs to manage
lifetime of the objects
2. Clear finished_source_handler_ in ClearHandlersToBeDeleted()
Either of these fix the repro case, but let's do both. Don't want to
leaving dangling objects.
Manually tested the repro case which no longer reproduces.
Bug: 1059686
Change-Id: I11e999e6d7243351771d9530ceb924bd635578fd
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc | 3 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h | 4 |
2 files changed, 4 insertions, 3 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc index fca70458c5a..b836b4d23ca 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc @@ -77,7 +77,7 @@ void DeferredTaskHandler::BreakConnections() { // connection. wtf_size_t size = finished_source_handlers_.size(); if (size > 0) { - for (auto* finished : finished_source_handlers_) { + for (auto finished : finished_source_handlers_) { // Break connection first and then remove from the list because that can // cause the handler to be deleted. finished->BreakConnectionWithLock(); @@ -358,6 +358,7 @@ void DeferredTaskHandler::ClearHandlersToBeDeleted() { deletable_orphan_handlers_.clear(); automatic_pull_handlers_.clear(); rendering_automatic_pull_handlers_.clear(); + finished_source_handlers_.clear(); active_source_handlers_.clear(); } diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h index 0ede5f5b5da..5d7416e481e 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h +++ b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h @@ -188,7 +188,7 @@ class MODULES_EXPORT DeferredTaskHandler final return &active_source_handlers_; } - Vector<AudioHandler*>* GetFinishedSourceHandlers() { + Vector<scoped_refptr<AudioHandler>>* GetFinishedSourceHandlers() { return &finished_source_handlers_; } @@ -257,7 +257,7 @@ class MODULES_EXPORT DeferredTaskHandler final // connection and elements here are removed from |active_source_handlers_|. // // This must be accessed only from the audio thread. - Vector<AudioHandler*> finished_source_handlers_; + Vector<scoped_refptr<AudioHandler>> finished_source_handlers_; scoped_refptr<base::SingleThreadTaskRunner> task_runner_; |