diff options
author | Hongchan Choi <hongchan@chromium.org> | 2020-02-13 19:59:04 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-05 09:50:22 +0000 |
commit | d8724284f471b3d3d6c4cf2246aa8a84d7fbc6c5 (patch) | |
tree | 47599b9e7043e64ce0c215ed552ad0dfe33b7b6a /chromium/content/renderer/media/media_factory.cc | |
parent | 642c7bea74e22a9578944ff419fa9fa682adbab7 (diff) | |
download | qtwebengine-chromium-d8724284f471b3d3d6c4cf2246aa8a84d7fbc6c5.tar.gz |
[Backport] CVE-2020-6384: Use after free in WebAudio
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2042409
https://chromium-review.googlesource.com/c/chromium/src/+/2055005
Do not resume OfflineAudioContext when it is cleared
Previously OfflineAudioContext::resumeContext() method did not check
if the context is cleared by ExecutionContext::ContextDestroyed().
Such case is possible when the audio context is a part of a detached
iframe.
This CL changes the check so we can verify if the context's resources
is still available. Otherwise, we can reject the resume promise
resolver.
(cherry picked from commit 5d595814f7262727112fc068ad6d4bc9ec319df4)
Test: Locally confirmed ASAN does not crash with the repro case.
Bug: 1048473
Change-Id: I24b498b5c1a197aa2c671532a466fb188800b1e9
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat (limited to 'chromium/content/renderer/media/media_factory.cc')
0 files changed, 0 insertions, 0 deletions