From d6e5fc10e417efdf8665d9fba57c269f0534072f Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Fri, 1 Nov 2019 11:10:31 +0100 Subject: [Backport] Fix for CVE-2019-13720 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Obtain graph/process lock when nullifying the buffer in Reverb When the buffer is set to `null` while there is an active buffer within a reverb object, SetBuffer() function can prematurely nullify the `reverb_` and `shared_buffer_` while it is still being accessed by the rendering thread. This CL adds two locks (graph lock and process lock) when the buffer gets nullified to ensure the synchronization between two threads. (cherry picked from commit 6a2e670a243b815cf043f8da4d26ecb9a64d307b) Change-Id: I8f501b6a16b3c7e16db767e0b279a1a53d6eb290 Bug: 1019226 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1888103 Commit-Queue: Hongchan Choi Reviewed-by: Robert Sesek Cr-Original-Commit-Position: refs/heads/master@{#710627} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1889510 Reviewed-by: Krishna Govind Cr-Commit-Position: refs/branch-heads/3953@{#8} Cr-Branched-From: b5ceb94d4b9a2f629c84df1be72f9e3d0a79fd2d-refs/heads/master@{#710313} Reviewed-by: Michael BrĂ¼ning --- chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc index a0c05beab71..066ed521d09 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc @@ -95,6 +95,8 @@ void ConvolverHandler::SetBuffer(AudioBuffer* buffer, DCHECK(IsMainThread()); if (!buffer) { + BaseAudioContext::GraphAutoLocker context_locker(Context()); + MutexLocker locker(process_lock_); reverb_.reset(); buffer_ = buffer; return; -- cgit v1.2.1