[Backport] CVE-2020-6384: Use after free in WebAudio

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2042409
https://chromium-review.googlesource.com/c/chromium/src/+/2055005
Do not resume OfflineAudioContext when it is cleared

Previously OfflineAudioContext::resumeContext() method did not check
if the context is cleared by ExecutionContext::ContextDestroyed().
Such case is possible when the audio context is a part of a detached
iframe.

This CL changes the check so we can verify if the context's resources
is still available. Otherwise, we can reject the resume promise
resolver.

(cherry picked from commit 5d595814f7262727112fc068ad6d4bc9ec319df4)

Test: Locally confirmed ASAN does not crash with the repro case.
Bug: 1048473
Change-Id: I24b498b5c1a197aa2c671532a466fb188800b1e9
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>

1 files changed, 3 insertions, 2 deletions

diff --git a/chromium/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc b/chromium/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc
index 920b9cae8e4..b62c44c240a 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc
@@ -322,8 +322,9 @@ ScriptPromise OfflineAudioContext::resumeContext(ScriptState* script_state) {
     return promise;
   }
 
-  // If the context is in a closed state, reject the promise.
-  if (ContextState() == AudioContextState::kClosed) {
+  // If the context is in a closed state or it really is closed (cleared),
+  // reject the promise.
+  if (IsContextClosed()) {
     resolver->Reject(MakeGarbageCollected<DOMException>(
         DOMExceptionCode::kInvalidStateError,
         "cannot resume a closed offline context"));