diff options
author | Hongchan Choi <hongchan@chromium.org> | 2020-01-18 00:24:38 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-06 12:02:56 +0000 |
commit | feeaf8ecd52e7a1fd95ebf989db58e4bc2253390 (patch) | |
tree | 66750bf042695222677e2a501c3ca2b9f0931028 /chromium/content/public/browser/devtools_agent_host_client.cc | |
parent | b6fde543e118f3056b6bdca1c5ae6f36afbf8be2 (diff) | |
download | qtwebengine-chromium-feeaf8ecd52e7a1fd95ebf989db58e4bc2253390.tar.gz |
[Backport] CVE-2020-6406 - Use after free in audio
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2003564
https://chromium-review.googlesource.com/c/chromium/src/+/2008320:
Add a graph lock in PannerHandler::SetPanningModel()
We need the graph lock to secure the panner backend because
BaseAudioContext::Handle{Pre,Post}RenderTasks() from the audio thread
can touch it.
(cherry picked from commit 00962dd2d61776b03be93557683d8a301e4bb572)
Test: ran two repro cases from the report over 1 hour and TSAN survived.
Bug: 1042254
Change-Id: Ie768f00455198ebd4aa376f85da4fa4a66366061
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat (limited to 'chromium/content/public/browser/devtools_agent_host_client.cc')
0 files changed, 0 insertions, 0 deletions