diff options
| author | Raymond Toy <rtoy@chromium.org> | 2020-03-16 18:26:41 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:38:10 +0000 |
| commit | 9aabebeb69be9c62ded34e81217f648b0fa1c7d2 (patch) | |
| tree | 8993063eb556201fff9557790a6cde32cd187eca /chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c | |
| parent | 2a9a1c057d8984ba9fc25e2dd8b5fe6c58e5ea3b (diff) | |
| download | qtwebengine-chromium-9aabebeb69be9c62ded34e81217f648b0fa1c7d2.tar.gz | |
[Backport] CVE-2020-6449: Use after free in audio.
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2098260
https://chromium-review.googlesource.com/c/chromium/src/+/2104992
Make finished_source_handlers_ hold scoped_refptrs
Previously, finished_source_handlers_ held raw pointers to
AudioHandlers and assumed that active_source_handlers_ also had a
copy. But when the context goes away, active_source_handlers_ would
be cleared, but not finished_source_handlers_, leaving pointers to
deleted objects.
So do two things:
1. Change finished_source_handlers_ to hold scoped_refptrs to manage
lifetime of the objects
2. Clear finished_source_handler_ in ClearHandlersToBeDeleted()
Either of these fix the repro case, but let's do both. Don't want to
leaving dangling objects.
Manually tested the repro case which no longer reproduces.
Bug: 1059686
Change-Id: I11e999e6d7243351771d9530ceb924bd635578fd
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c')
0 files changed, 0 insertions, 0 deletions