From b41d57627c005a1b2f093b944787c5dde16b235b Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Mon, 14 Oct 2019 13:35:38 +0200
Subject: [Backport] CVE-2019-13695
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[merge m77] media: Keep |cdm_context_ref_| in mojo media services on failure

When unexpected failure happens, we expect the service to stay in a
valid state.

(cherry picked from commit d496219fd9061eaba1be73be05f8fac1dda86a27)

Bug: 1004730
Test: Manually tested
Change-Id: Ib35035705e4604b9aa8cf5212de07bc1069e73d4
Commit-Queue: Xiaohan Wang <xhwang@chromium.org>
Reviewed-by: John Rummell <jrummell@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#697907}
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>
Cr-Commit-Position: refs/branch-heads/3865@{#843}
Cr-Branched-From: 0cdcc6158160790658d1f033d3db873603250124-refs/heads/master@{#681094}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 chromium/media/mojo/services/mojo_audio_decoder_service.cc | 7 +++++--
 chromium/media/mojo/services/mojo_renderer_service.cc      | 7 +++++--
 chromium/media/mojo/services/mojo_video_decoder_service.cc | 7 +++++--
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/chromium/media/mojo/services/mojo_audio_decoder_service.cc b/chromium/media/mojo/services/mojo_audio_decoder_service.cc
index eba8b656e92..68ec4f9eb74 100644
--- a/chromium/media/mojo/services/mojo_audio_decoder_service.cc
+++ b/chromium/media/mojo/services/mojo_audio_decoder_service.cc
@@ -41,13 +41,16 @@ void MojoAudioDecoderService::Initialize(const AudioDecoderConfig& config,
   // Get CdmContext from cdm_id if the stream is encrypted.
   CdmContext* cdm_context = nullptr;
   if (config.is_encrypted()) {
-    cdm_context_ref_ = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
-    if (!cdm_context_ref_) {
+    auto cdm_context_ref = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
+    if (!cdm_context_ref) {
       DVLOG(1) << "CdmContextRef not found for CDM id: " << cdm_id;
       std::move(callback).Run(false, false);
       return;
     }
 
+    // |cdm_context_ref_| must be kept as long as |cdm_context| is used by the
+    // |decoder_|.
+    cdm_context_ref_ = std::move(cdm_context_ref);
     cdm_context = cdm_context_ref_->GetCdmContext();
     DCHECK(cdm_context);
   }
diff --git a/chromium/media/mojo/services/mojo_renderer_service.cc b/chromium/media/mojo/services/mojo_renderer_service.cc
index 7afa721f531..f0cfeb6726d 100644
--- a/chromium/media/mojo/services/mojo_renderer_service.cc
+++ b/chromium/media/mojo/services/mojo_renderer_service.cc
@@ -132,13 +132,16 @@ void MojoRendererService::SetCdm(int32_t cdm_id, SetCdmCallback callback) {
     return;
   }
 
-  cdm_context_ref_ = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
-  if (!cdm_context_ref_) {
+  auto cdm_context_ref = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
+  if (!cdm_context_ref) {
     DVLOG(1) << "CdmContextRef not found for CDM ID: " << cdm_id;
     std::move(callback).Run(false);
     return;
   }
 
+  // |cdm_context_ref_| must be kept as long as |cdm_context| is used by the
+  // |renderer_|.
+  cdm_context_ref_ = std::move(cdm_context_ref);
   auto* cdm_context = cdm_context_ref_->GetCdmContext();
   DCHECK(cdm_context);
 
diff --git a/chromium/media/mojo/services/mojo_video_decoder_service.cc b/chromium/media/mojo/services/mojo_video_decoder_service.cc
index 4ec54f1a0fb..bbf9f015e1e 100644
--- a/chromium/media/mojo/services/mojo_video_decoder_service.cc
+++ b/chromium/media/mojo/services/mojo_video_decoder_service.cc
@@ -196,13 +196,16 @@ void MojoVideoDecoderService::Initialize(const VideoDecoderConfig& config,
   // Get CdmContext from cdm_id if the stream is encrypted.
   CdmContext* cdm_context = nullptr;
   if (cdm_id != CdmContext::kInvalidCdmId) {
-    cdm_context_ref_ = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
-    if (!cdm_context_ref_) {
+    auto cdm_context_ref = mojo_cdm_service_context_->GetCdmContextRef(cdm_id);
+    if (!cdm_context_ref) {
       DVLOG(1) << "CdmContextRef not found for CDM id: " << cdm_id;
       OnDecoderInitialized(false);
       return;
     }
 
+    // |cdm_context_ref_| must be kept as long as |cdm_context| is used by the
+    // |decoder_|.
+    cdm_context_ref_ = std::move(cdm_context_ref);
     cdm_context = cdm_context_ref_->GetCdmContext();
     DCHECK(cdm_context);
   }
-- 
cgit v1.2.1