From 8f4cef2a9d94930d02e254e054f8a9d0796e2422 Mon Sep 17 00:00:00 2001
From: Hongchan Choi <hongchan@chromium.org>
Date: Mon, 16 Mar 2020 06:07:19 +0000
Subject: [Backport] CVE-2020-6427: Use after free in audio.

Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2074807
https://chromium-review.googlesource.com/c/chromium/src/+/2104664
Use WeakPtr for cross-thread posting
{IIR,Biquad}FilterNodes check the state of the filter and notify the
main thread when it goes bad. In this process, the associated context
can be collected when a posted task is performed sometime later
in the task runner's queue.

By using WeakPtr, the task runner will not perform a scheduled task
in the queue when the target object is invalid anymore.

(cherry picked from commit 2cd0af7ea20547c2471483ef2233f3b068db93c3)

Test: Locally confirmed that the repro case does not crash after 30 min.
Bug: 1055788
Change-Id: I23e001ad6e900631d0e9e475f690c57f63639dcc
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../blink/renderer/modules/webaudio/biquad_filter_node.cc           | 2 +-
 .../blink/renderer/modules/webaudio/biquad_filter_node.h            | 4 +++-
 .../third_party/blink/renderer/modules/webaudio/iir_filter_node.cc  | 6 +++---
 .../third_party/blink/renderer/modules/webaudio/iir_filter_node.h   | 5 ++++-
 4 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc
index 00d2b9b6ef3..948c3df2b57 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc
@@ -88,7 +88,7 @@ void BiquadFilterHandler::Process(uint32_t frames_to_process) {
       PostCrossThreadTask(
           *task_runner_, FROM_HERE,
           CrossThreadBindOnce(&BiquadFilterHandler::NotifyBadState,
-                              WrapRefCounted(this)));
+                              AsWeakPtr()));
     }
   }
 }
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h b/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h
index 7ed45955908..a269039bdf4 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h
+++ b/chromium/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h
@@ -26,6 +26,7 @@
 #ifndef THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_BIQUAD_FILTER_NODE_H_
 #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_BIQUAD_FILTER_NODE_H_
 
+#include "base/memory/weak_ptr.h"
 #include "third_party/blink/renderer/core/typed_arrays/array_buffer_view_helpers.h"
 #include "third_party/blink/renderer/core/typed_arrays/dom_typed_array.h"
 #include "third_party/blink/renderer/modules/webaudio/audio_basic_processor_handler.h"
@@ -38,7 +39,8 @@ class BaseAudioContext;
 class AudioParam;
 class BiquadFilterOptions;
 
-class BiquadFilterHandler : public AudioBasicProcessorHandler {
+class BiquadFilterHandler : public AudioBasicProcessorHandler ,
+                            public base::SupportsWeakPtr<BiquadFilterHandler> {
  public:
   static scoped_refptr<BiquadFilterHandler> Create(AudioNode&,
                                                    float sample_rate,
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc
index 88b1026d6e4..513b38c851c 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc
@@ -104,9 +104,9 @@ void IIRFilterHandler::Process(uint32_t frames_to_process) {
     if (HasNonFiniteOutput()) {
       did_warn_bad_filter_state_ = true;
 
-      PostCrossThreadTask(*task_runner_, FROM_HERE,
-                          CrossThreadBindOnce(&IIRFilterHandler::NotifyBadState,
-                                              WrapRefCounted(this)));
+      PostCrossThreadTask(
+          *task_runner_, FROM_HERE,
+          CrossThreadBindOnce(&IIRFilterHandler::NotifyBadState, AsWeakPtr()));
     }
   }
 }
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.h b/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.h
index dc049ae5cc7..2609f1bafc2 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.h
+++ b/chromium/third_party/blink/renderer/modules/webaudio/iir_filter_node.h
@@ -5,6 +5,7 @@
 #ifndef THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_IIR_FILTER_NODE_H_
 #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_IIR_FILTER_NODE_H_
 
+#include "base/memory/weak_ptr.h"
 #include "base/single_thread_task_runner.h"
 #include "third_party/blink/renderer/core/typed_arrays/array_buffer_view_helpers.h"
 #include "third_party/blink/renderer/core/typed_arrays/dom_typed_array.h"
@@ -18,7 +19,9 @@ class BaseAudioContext;
 class ExceptionState;
 class IIRFilterOptions;
 
-class IIRFilterHandler : public AudioBasicProcessorHandler {
+class IIRFilterHandler : public AudioBasicProcessorHandler,
+                         public base::SupportsWeakPtr<IIRFilterHandler> {
+
  public:
   static scoped_refptr<IIRFilterHandler> Create(
       AudioNode&,
-- 
cgit v1.2.1