From 2a9a1c057d8984ba9fc25e2dd8b5fe6c58e5ea3b Mon Sep 17 00:00:00 2001
From: Hongchan Choi <hongchan@chromium.org>
Date: Mon, 16 Mar 2020 05:52:36 +0000
Subject: [Backport] CVE-2020-6429: Use after free in audio.

Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2082897
https://chromium-review.googlesource.com/c/chromium/src/+/2104662
Use SupportsWeakPtr for messaging from rendering thread to main thread

In cross-thread messaging, the associated execution context can be
already gone when a posted task is performed sometime later in the task
runner's queue.

By using WeakPtr, the task runner will not perform a scheduled task
in the queue when the target object is invalid.

Test: Locally confirmed that the repro does not crash.
Bug: 1057627
Change-Id: Ia794fe220ac9868584be4d3993790293daf52c8a
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../blink/renderer/modules/webaudio/audio_scheduled_source_node.cc   | 2 +-
 .../blink/renderer/modules/webaudio/audio_scheduled_source_node.h    | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc
index 590ffe30c6e..4e288e94ff5 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc
@@ -259,7 +259,7 @@ void AudioScheduledSourceHandler::Finish() {
   PostCrossThreadTask(
       *task_runner_, FROM_HERE,
       CrossThreadBindOnce(&AudioScheduledSourceHandler::NotifyEnded,
-                          WrapRefCounted(this)));
+                          AsWeakPtr()));
 }
 
 void AudioScheduledSourceHandler::NotifyEnded() {
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h b/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h
index 2fdb9bac867..d526a776c4c 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h
+++ b/chromium/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h
@@ -30,6 +30,7 @@
 #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_AUDIO_SCHEDULED_SOURCE_NODE_H_
 
 #include <atomic>
+#include "base/memory/weak_ptr.h"
 #include "third_party/blink/renderer/bindings/core/v8/active_script_wrappable.h"
 #include "third_party/blink/renderer/modules/webaudio/audio_node.h"
 
@@ -38,7 +39,9 @@ namespace blink {
 class BaseAudioContext;
 class AudioBus;
 
-class AudioScheduledSourceHandler : public AudioHandler {
+class AudioScheduledSourceHandler
+    : public AudioHandler,
+      public base::SupportsWeakPtr<AudioScheduledSourceHandler> {
  public:
   // These are the possible states an AudioScheduledSourceNode can be in:
   //
-- 
cgit v1.2.1