From d2f5e4d3a25b3668362015ddba4f3b5932ed200f Mon Sep 17 00:00:00 2001 From: Guido Urdaneta Date: Wed, 22 Jul 2020 18:10:26 +0000 Subject: [Backport] CVE-2020-6549: Use after free in media Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2312703: Use copy of source map in MediaElementElementListener::UpdateSources() Prior to this CL, this function iterated over a source map that could be modified by a re-entrant call triggered by JS code. Bug: 1105426 Change-Id: I47e49e4132cba98e12ee7c195720ac9ecc1f485b Reviewed-by: Marina Ciocea Commit-Queue: Guido Urdaneta Cr-Commit-Position: refs/heads/master@{#790894} Reviewed-by: Michal Klocek --- .../modules/mediacapturefromelement/html_media_element_capture.cc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc b/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc index a24f912ad07..c6314cd9f3a 100644 --- a/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc +++ b/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc @@ -240,9 +240,14 @@ void MediaElementEventListener::UpdateSources(ExecutionContext* context) { for (auto track : media_stream_->getTracks()) sources_.insert(track->Component()->Source()); + // Handling of the ended event in JS triggered by DidStopMediaStreamSource() + // may cause a reentrant call to this function, which can modify |sources_|. + // Iterate over a copy of |sources_| to avoid invalidation of the iterator + // when a reentrant call occurs. + auto sources_copy = sources_; if (!media_element_->currentSrc().IsEmpty() && !media_element_->IsMediaDataCorsSameOrigin()) { - for (auto source : sources_) + for (auto source : sources_copy) DidStopMediaStreamSource(source.Get()); } } -- cgit v1.2.1