diff options
author | Harald Alvestrand <hta@chromium.org> | 2020-04-15 14:03:03 +0000 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2020-06-11 09:05:34 +0000 |
commit | 8a53e97dba1ec531727914b0189db93d21f977b8 (patch) | |
tree | fbef579ae51491687d2487cfae6cf28958c7348d /chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc | |
parent | 04e8b821b3635e7d8b32853067894253028a2626 (diff) | |
download | qtwebengine-chromium-8a53e97dba1ec531727914b0189db93d21f977b8.tar.gz |
[Backport] CVE-2020-6467v5.12.9
Onstate handler is allowed to close a PeerConnection.
Bug: chromium:1068084
Change-Id: Icd3f70b6784ac22ef4e3bc1c99233f51145a917f
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc')
-rw-r--r-- | chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc b/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc index 8a9329b9a81..1332ba89e93 100644 --- a/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc +++ b/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc @@ -1041,6 +1041,7 @@ RTCPeerConnectionHandler::RTCPeerConnectionHandler( initialize_called_(false), client_(client), is_closed_(false), + is_unregistered_(false), dependency_factory_(dependency_factory), track_adapter_map_( new WebRtcMediaStreamTrackAdapterMap(dependency_factory_, @@ -1055,6 +1056,12 @@ RTCPeerConnectionHandler::RTCPeerConnectionHandler( } RTCPeerConnectionHandler::~RTCPeerConnectionHandler() { + if (!is_unregistered_) { + StopAndUnregister(); + } +} + +void RTCPeerConnectionHandler::StopAndUnregister() { DCHECK(task_runner_->RunsTasksInCurrentSequence()); Stop(); @@ -1065,6 +1072,10 @@ RTCPeerConnectionHandler::~RTCPeerConnectionHandler() { UMA_HISTOGRAM_COUNTS_10000( "WebRTC.NumDataChannelsPerPeerConnection", num_data_channels_created_); + // Clear the pointer to client_ so that it does not interfere with + // garbage collection. + client_ = nullptr; + is_unregistered_ = true; } void RTCPeerConnectionHandler::associateWithFrame(blink::WebLocalFrame* frame) { @@ -1998,6 +2009,10 @@ void RTCPeerConnectionHandler::OnSignalingChange( peer_connection_tracker_->TrackSignalingStateChange(this, new_state); if (!is_closed_) client_->DidChangeSignalingState(new_state); + // The callback may have closed the PC. If so, do not continue. + if (is_closed_ || !client_) { + return; + } } // Called any time the IceConnectionState changes |