diff options
| author | Hongchan Choi <hongchan@chromium.org> | 2020-01-18 00:24:38 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-06 12:02:56 +0000 |
| commit | feeaf8ecd52e7a1fd95ebf989db58e4bc2253390 (patch) | |
| tree | 66750bf042695222677e2a501c3ca2b9f0931028 | |
| parent | b6fde543e118f3056b6bdca1c5ae6f36afbf8be2 (diff) | |
| download | qtwebengine-chromium-feeaf8ecd52e7a1fd95ebf989db58e4bc2253390.tar.gz | |
[Backport] CVE-2020-6406 - Use after free in audio
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2003564
https://chromium-review.googlesource.com/c/chromium/src/+/2008320:
Add a graph lock in PannerHandler::SetPanningModel()
We need the graph lock to secure the panner backend because
BaseAudioContext::Handle{Pre,Post}RenderTasks() from the audio thread
can touch it.
(cherry picked from commit 00962dd2d61776b03be93557683d8a301e4bb572)
Test: ran two repro cases from the report over 1 hour and TSAN survived.
Bug: 1042254
Change-Id: Ie768f00455198ebd4aa376f85da4fa4a66366061
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc index 4eae502e4c8..313adf9dc0e 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/panner_node.cc @@ -390,6 +390,11 @@ bool PannerHandler::SetPanningModel(unsigned model) { } if (!panner_.get() || model != panning_model_) { + // We need the graph lock to secure the panner backend because + // BaseAudioContext::Handle{Pre,Post}RenderTasks() from the audio thread + // can touch it. + BaseAudioContext::GraphAutoLocker context_locker(Context()); + // This synchronizes with process(). MutexLocker process_locker(process_lock_); panner_ = Panner::Create(model, Context()->sampleRate(), |