From 72d0936150ffc54889e27329c51f6c1382ccf63d Mon Sep 17 00:00:00 2001 From: Raymond Toy Date: Mon, 16 Mar 2020 05:58:01 +0000 Subject: [Backport] CVE-2020-6428: Use after free in audio. Manual backport of patch originally reviewed on: https://chromium-review.googlesource.com/c/chromium/src/+/2083436 https://chromium-review.googlesource.com/c/chromium/src/+/2104827 Break connections before removing from active_source_handlers_. In DeferredTaskHandler::BreakConnections, we want to remove finished handlers and break the connection. when a finished handler is removed from active_source_handlers_, it might be deleted, but we were still using that to create the connection. Instead, break the connection first and then remove it. Manually ran test from the bug and it passes with this change. Without this, it failed right away. Bug: 1057593 Change-Id: Id9254071e7860d593d6061fd395c00160002202b Reviewed-by: Michal Klocek --- .../blink/renderer/modules/webaudio/deferred_task_handler.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc index 9fd38f0dde7..fca70458c5a 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc @@ -78,8 +78,10 @@ void DeferredTaskHandler::BreakConnections() { wtf_size_t size = finished_source_handlers_.size(); if (size > 0) { for (auto* finished : finished_source_handlers_) { - active_source_handlers_.erase(finished); + // Break connection first and then remove from the list because that can + // cause the handler to be deleted. finished->BreakConnectionWithLock(); + active_source_handlers_.erase(finished); } finished_source_handlers_.clear(); } -- cgit v1.2.1