diff options
| author | Eugene Zemtsov <eugene@chromium.org> | 2022-04-08 23:28:35 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-05-24 13:44:43 +0000 |
| commit | 67fc041e76d301756c16858e97ba11db797bd68d (patch) | |
| tree | 8c6e05b26dbfebc1097bc0cf05191d0759ef8380 | |
| parent | bd6141bd6d1cdbfc535ccd62702446877865869f (diff) | |
| download | qtwebengine-chromium-67fc041e76d301756c16858e97ba11db797bd68d.tar.gz | |
[Backport] Security bug 1312563
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3575680:
Only destroy successfully created compression session in VT encoder
This is a defensive change, since we don't have a repro on hand.
My guess is that VTCompressionSessionCreate() might fail to create a
compression session, but still write a value to compressionSessionOut.
It makes VTCompressionSessionInvalidate() access uninitialized memory.
That's why this CL makes sure that we only destroy a compression session
if VTCompressionSessionCreate() reports success.
Bug: 1312563
Change-Id: I468ce0e10bad251ca0b62b568607dbc5c32ba8bc
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Commit-Queue: Eugene Zemtsov <eugene@chromium.org>
Cr-Commit-Position: refs/heads/main@{#990654}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/media/gpu/mac/vt_video_encode_accelerator_mac.cc | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/chromium/media/gpu/mac/vt_video_encode_accelerator_mac.cc b/chromium/media/gpu/mac/vt_video_encode_accelerator_mac.cc index 5b7a020573d..7e058e9670e 100644 --- a/chromium/media/gpu/mac/vt_video_encode_accelerator_mac.cc +++ b/chromium/media/gpu/mac/vt_video_encode_accelerator_mac.cc @@ -119,13 +119,13 @@ VTVideoEncodeAccelerator::GetSupportedProfiles() { SupportedProfiles profiles; const bool rv = CreateCompressionSession( gfx::Size(kDefaultResolutionWidth, kDefaultResolutionHeight)); - DestroyCompressionSession(); if (!rv) { VLOG(1) << "Hardware encode acceleration is not available on this platform."; return profiles; } + DestroyCompressionSession(); SupportedProfile profile; profile.max_framerate_numerator = kMaxFrameRateNumerator; profile.max_framerate_denominator = kMaxFrameRateDenominator; @@ -495,10 +495,8 @@ bool VTVideoEncodeAccelerator::ResetCompressionSession() { DestroyCompressionSession(); bool session_rv = CreateCompressionSession(input_visible_size_); - if (!session_rv) { - DestroyCompressionSession(); + if (!session_rv) return false; - } const bool configure_rv = ConfigureCompressionSession(); if (configure_rv) @@ -534,6 +532,12 @@ bool VTVideoEncodeAccelerator::CreateCompressionSession( &VTVideoEncodeAccelerator::CompressionCallback, reinterpret_cast<void*>(this), compression_session_.InitializeInto()); if (status != noErr) { + // IMPORTANT: ScopedCFTypeRef::release() doesn't call CFRelease(). + // In case of an error VTCompressionSessionCreate() is not supposed to + // write a non-null value into compression_session_, but just in case, + // we'll clear it without calling CFRelease() because it can be unsafe + // to call on a not fully created session. + (void)compression_session_.release(); DLOG(ERROR) << " VTCompressionSessionCreate failed: " << status; return false; } |