[Backport] Fix for CVE-2019-5760

Check weak pointers in RTCPeerConnectionHandler::WebRtcSetDescriptionObserverImpl Bug: 912074 Change-Id: I8ba86751f5d5bf12db51520f985ef0d3dae63ed8 Reviewed-on: https://chromium-review.googlesource.com/c/1411916 Commit-Queue: Guido Urdaneta <guidou@chromium.org> Reviewed-by: Henrik Boström <hbos@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#622945}(cherry picked from commit 3514a77e7fa2e5b8bfe5d98af22964bbd69d680f) Reviewed-on: https://chromium-review.googlesource.com/c/1412028 Reviewed-by: Guido Urdaneta <guidou@chromium.org> Cr-Commit-Position: refs/branch-heads/3626@{#741} Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437} Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-02-01 16:00:47 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-02-04 19:08:44 +0000
commit: 63cf07a2a77c2fc2ce52e063ceb860c8adcc718c (patch)
tree: da9f1c3ee096944d38b602ec1c5890e3c20792ae
parent: c350fc2e32587acf01028c989b21a9b31ea7face (diff)
download: qtwebengine-chromium-63cf07a2a77c2fc2ce52e063ceb860c8adcc718c.tar.gz
1 files changed, 18 insertions, 7 deletions
diff --git a/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc b/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc
index 0701c420f9a..0d815b449ee 100644
--- a/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc
+++ b/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc
@@ -795,6 +795,7 @@ class RTCPeerConnectionHandler::WebRtcSetDescriptionObserverImpl
     }
 
     if (handler_) {
+      // |handler_| can become null after this call.
       handler_->OnSignalingChange(states.signaling_state);
 
       // Process the rest of the state changes differently depending on SDP
@@ -806,7 +807,7 @@ class RTCPeerConnectionHandler::WebRtcSetDescriptionObserverImpl
         ProcessStateChangesUnifiedPlan(std::move(states));
       }
 
-      if (tracker_) {
+      if (tracker_ && handler_) {
         tracker_->TrackSessionDescriptionCallback(handler_.get(), action_,
                                                   "OnSuccess", "");
       }
@@ -841,6 +842,9 @@ class RTCPeerConnectionHandler::WebRtcSetDescriptionObserverImpl
 
   void ProcessStateChangesPlanB(WebRtcSetDescriptionObserver::States states) {
     DCHECK_EQ(sdp_semantics_, blink::WebRTCSdpSemantics::kPlanB);
+    if (!handler_)
+      return;
+
     // Determine which receivers have been removed before processing the
     // removal as to not invalidate the iterator.
     std::vector<RTCRtpReceiver*> removed_receivers;
@@ -852,18 +856,23 @@ class RTCPeerConnectionHandler::WebRtcSetDescriptionObserverImpl
 
     // Process the addition of remote receivers/tracks.
     for (auto& transceiver_state : states.transceiver_states) {
-      if (ReceiverWasAdded(transceiver_state)) {
+      if (handler_ && ReceiverWasAdded(transceiver_state)) {
+        // |handler_| can become null after this call.
         handler_->OnAddReceiverPlanB(transceiver_state.MoveReceiverState());
       }
     }
     // Process the removal of remote receivers/tracks.
     for (auto* removed_receiver : removed_receivers) {
-      handler_->OnRemoveReceiverPlanB(RTCRtpReceiver::getId(
-          removed_receiver->state().webrtc_receiver().get()));
+      if (handler_) {
+        // |handler_| can become null after this call.
+        handler_->OnRemoveReceiverPlanB(RTCRtpReceiver::getId(
+            removed_receiver->state().webrtc_receiver().get()));
+      }
     }
   }
 
   bool ReceiverWasAdded(const RtpTransceiverState& transceiver_state) {
+    DCHECK(handler_);
     uintptr_t receiver_id = RTCRtpReceiver::getId(
         transceiver_state.receiver_state()->webrtc_receiver().get());
     for (const auto& receiver : handler_->rtp_receivers_) {
@@ -888,9 +897,11 @@ class RTCPeerConnectionHandler::WebRtcSetDescriptionObserverImpl
   void ProcessStateChangesUnifiedPlan(
       WebRtcSetDescriptionObserver::States states) {
     DCHECK_EQ(sdp_semantics_, blink::WebRTCSdpSemantics::kUnifiedPlan);
-    handler_->OnModifyTransceivers(
-        std::move(states.transceiver_states),
-        action_ == PeerConnectionTracker::ACTION_SET_REMOTE_DESCRIPTION);
+    if (handler_) {
+      handler_->OnModifyTransceivers(
+          std::move(states.transceiver_states),
+          action_ == PeerConnectionTracker::ACTION_SET_REMOTE_DESCRIPTION);
+    }
   }
 
   base::WeakPtr<RTCPeerConnectionHandler> handler_;
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-02-01 16:00:47 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-02-04 19:08:44 +0000
commit	63cf07a2a77c2fc2ce52e063ceb860c8adcc718c (patch)
tree	da9f1c3ee096944d38b602ec1c5890e3c20792ae
parent	c350fc2e32587acf01028c989b21a9b31ea7face (diff)
download	qtwebengine-chromium-63cf07a2a77c2fc2ce52e063ceb860c8adcc718c.tar.gz