diff options
| author | Hongchan Choi <hongchan@chromium.org> | 2020-03-16 06:07:19 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:37:55 +0000 |
| commit | 8f4cef2a9d94930d02e254e054f8a9d0796e2422 (patch) | |
| tree | e17e4c5bcdeb8566316af738a97ad4d33e654f25 /chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc | |
| parent | c110d4f93dfd89bdddfbc5b2181bbc698db7f6d5 (diff) | |
| download | qtwebengine-chromium-8f4cef2a9d94930d02e254e054f8a9d0796e2422.tar.gz | |
[Backport] CVE-2020-6427: Use after free in audio.
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2074807
https://chromium-review.googlesource.com/c/chromium/src/+/2104664
Use WeakPtr for cross-thread posting
{IIR,Biquad}FilterNodes check the state of the filter and notify the
main thread when it goes bad. In this process, the associated context
can be collected when a posted task is performed sometime later
in the task runner's queue.
By using WeakPtr, the task runner will not perform a scheduled task
in the queue when the target object is invalid anymore.
(cherry picked from commit 2cd0af7ea20547c2471483ef2233f3b068db93c3)
Test: Locally confirmed that the repro case does not crash after 30 min.
Bug: 1055788
Change-Id: I23e001ad6e900631d0e9e475f690c57f63639dcc
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc')
0 files changed, 0 insertions, 0 deletions