[Backport] Security bug 1029865

Merge M80: "Neuter DefaultDecoderFactory after MediaFactory destruction." Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/1990200 Since we started allowing asynchronous stop of media::PipelineImpl, we have released the DefaultDecoderFactory on the media thread assuming it was safe to continue usage after ~MediaFactory. It turns out this is not the case for the MojoDecoderFactory used by DefaultDecoderFactory. To fix, we now neuter the DefaultDecoderFactory in ~MediaFactory to prevent decoders from being created. This is done under a lock since the decoder creation methods are called from the media thread and ~MediaFactory happens on the render thread at time of ~RenderFrame. TBR=<U+200B>xhwang (cherry picked from commit 7b100c28d219f682763522ed0a3e30e231c1176b) Fixed: 1029865 Change-Id: I3cde99102863565c05f9da042f27eaac982bcc28 Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Dale Curtis <dalecurtis@chromium.org> 2020-01-10 20:56:56 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-03-05 11:27:38 +0000
commit: e87caa4598d70afedda68428f15419e40131245e (patch)
tree: 923e4d72e209f095e46aba8ccaa08464ac3f42d0 /chromium/media/renderers/default_decoder_factory.cc
parent: d8724284f471b3d3d6c4cf2246aa8a84d7fbc6c5 (diff)
download: qtwebengine-chromium-e87caa4598d70afedda68428f15419e40131245e.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/chromium/media/renderers/default_decoder_factory.cc b/chromium/media/renderers/default_decoder_factory.cc
index 755b06c9c0c..394a64b6f58 100644
--- a/chromium/media/renderers/default_decoder_factory.cc
+++ b/chromium/media/renderers/default_decoder_factory.cc
@@ -57,6 +57,10 @@ void DefaultDecoderFactory::CreateAudioDecoders(
     scoped_refptr<base::SingleThreadTaskRunner> task_runner,
     MediaLog* media_log,
     std::vector<std::unique_ptr<AudioDecoder>>* audio_decoders) {
+  base::AutoLock auto_lock(shutdown_lock_);
+  if (is_shutdown_)
+    return;
+
 #if !defined(OS_ANDROID)
   // DecryptingAudioDecoder is only needed in External Clear Key testing to
   // cover the audio decrypt-and-decode path.
@@ -84,6 +88,10 @@ void DefaultDecoderFactory::CreateVideoDecoders(
     const RequestOverlayInfoCB& request_overlay_info_cb,
     const gfx::ColorSpace& target_color_space,
     std::vector<std::unique_ptr<VideoDecoder>>* video_decoders) {
+  base::AutoLock auto_lock(shutdown_lock_);
+  if (is_shutdown_)
+    return;
+
 #if !defined(OS_ANDROID)
   video_decoders->push_back(
       std::make_unique<DecryptingVideoDecoder>(task_runner, media_log));
@@ -123,4 +131,10 @@ void DefaultDecoderFactory::CreateVideoDecoders(
 #endif
 }
 
+void DefaultDecoderFactory::Shutdown() {
+  base::AutoLock auto_lock(shutdown_lock_);
+  external_decoder_factory_.reset();
+  is_shutdown_ = true;
+}
+
 }  // namespace media
author	Dale Curtis <dalecurtis@chromium.org>	2020-01-10 20:56:56 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-03-05 11:27:38 +0000
commit	e87caa4598d70afedda68428f15419e40131245e (patch)
tree	923e4d72e209f095e46aba8ccaa08464ac3f42d0 /chromium/media/renderers/default_decoder_factory.cc
parent	d8724284f471b3d3d6c4cf2246aa8a84d7fbc6c5 (diff)
download	qtwebengine-chromium-e87caa4598d70afedda68428f15419e40131245e.tar.gz