From 1c3145818e41790ade2060c324d233b8a6787856 Mon Sep 17 00:00:00 2001
From: Raymond Toy <rtoy@chromium.org>
Date: Wed, 26 Feb 2020 23:21:01 +0000
Subject: [Backport] CVE-2020-6420: Insufficient policy enforcement in media
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2055989
https://chromium-review.googlesource.com/c/chromium/src/+/2075339:
MediaElementAudioSourceNode always sets is_origin_tainted

When a source changes for a MediaElementAudioSourceNode, the number of
channels and sample rate can be the same as the previous source.
However, we were skipping updating |is_origin_tainted_| in this case,
which allowed audio through even though we printed a message that CORS
prevented this.

Now always update |is_origin_tainted_| right away.

(cherry picked from commit ace7aab359d2fa00ef71e168418ae76df853445b)

Bug: 1050996
Change-Id: If1f96d95d01700a9f178a98168401c6a1f3501a6
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 .../modules/webaudio/media_element_audio_source_node.cc      | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc
index 7b7fba6f9f1..a317b839799 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/media_element_audio_source_node.cc
@@ -106,6 +106,13 @@ void MediaElementAudioSourceHandler::SetFormat(uint32_t number_of_channels,
     PrintCorsMessage(MediaElement()->currentSrc().GetString());
   }
 
+  {
+    // Make sure |is_origin_tainted_| matches |is_tainted|.  But need to
+    // synchronize with process() to set this.
+    MediaElementAudioSourceHandlerLocker locker(*this);
+    is_origin_tainted_ = is_tainted;
+  }
+
   if (number_of_channels != source_number_of_channels_ ||
       source_sample_rate != source_sample_rate_) {
     if (!number_of_channels ||
@@ -118,16 +125,13 @@ void MediaElementAudioSourceHandler::SetFormat(uint32_t number_of_channels,
       MediaElementAudioSourceHandlerLocker locker(*this);
       source_number_of_channels_ = 0;
       source_sample_rate_ = 0;
-      is_origin_tainted_ = is_tainted;
       return;
     }
 
     // Synchronize with process() to protect |source_number_of_channels_|,
-    // |source_sample_rate_|, |multi_channel_resampler_|. and
-    // |is_origin_tainted_|.
+    // |source_sample_rate_|, |multi_channel_resampler_|.
     MediaElementAudioSourceHandlerLocker locker(*this);
 
-    is_origin_tainted_ = is_tainted;
     source_number_of_channels_ = number_of_channels;
     source_sample_rate_ = source_sample_rate;
 
-- 
cgit v1.2.1