[Backport] CVE-2020-6544: Use after free in media

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2314981:
Fix iterator invalidation issue

If a RemotePlayback availabilityCallback invokes watchAvailability(),
it may cause changes to the underlying |availability_callbacks_|. This
can invalidate the iterator we are using to loop over the callbacks.

This CL copies the callbacks to a vector before invoking them, allowing
them to add/remove callbacks without problem.

Bug: 1108497
Change-Id: I78220da0b8e10c1d6c0e4fa5e15ada81f10f8fc3
Auto-Submit: Thomas Guilbert <tguilbert@chromium.org>
Reviewed-by: Mounir Lamouri <mlamouri@chromium.org>
Commit-Queue: Thomas Guilbert <tguilbert@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791472}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 6 insertions, 1 deletions

diff --git a/chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc b/chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc
index 6f9836a57e1..dfa13c957c4 100644
--- a/chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc
+++ b/chromium/third_party/blink/renderer/modules/remoteplayback/remote_playback.cc
@@ -492,7 +492,12 @@ void RemotePlayback::AvailabilityChanged(
   if (new_availability == old_availability)
     return;
 
-  for (auto& callback : availability_callbacks_.Values())
+  // Copy the callbacks to a temporary vector to prevent iterator invalidations,
+  // in case the JS callbacks invoke watchAvailability().
+  HeapVector<Member<AvailabilityCallbackWrapper>> callbacks;
+  CopyValuesToVector(availability_callbacks_, callbacks);
+
+  for (auto& callback : callbacks)
     callback->Run(this, new_availability);
 }