From d8724284f471b3d3d6c4cf2246aa8a84d7fbc6c5 Mon Sep 17 00:00:00 2001 From: Hongchan Choi Date: Thu, 13 Feb 2020 19:59:04 +0000 Subject: [Backport] CVE-2020-6384: Use after free in WebAudio MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2042409 https://chromium-review.googlesource.com/c/chromium/src/+/2055005 Do not resume OfflineAudioContext when it is cleared Previously OfflineAudioContext::resumeContext() method did not check if the context is cleared by ExecutionContext::ContextDestroyed(). Such case is possible when the audio context is a part of a detached iframe. This CL changes the check so we can verify if the context's resources is still available. Otherwise, we can reject the resume promise resolver. (cherry picked from commit 5d595814f7262727112fc068ad6d4bc9ec319df4) Test: Locally confirmed ASAN does not crash with the repro case. Bug: 1048473 Change-Id: I24b498b5c1a197aa2c671532a466fb188800b1e9 Reviewed-by: Jüri Valdmann --- .../blink/renderer/modules/webaudio/offline_audio_context.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/chromium/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc b/chromium/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc index 920b9cae8e4..b62c44c240a 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/offline_audio_context.cc @@ -322,8 +322,9 @@ ScriptPromise OfflineAudioContext::resumeContext(ScriptState* script_state) { return promise; } - // If the context is in a closed state, reject the promise. - if (ContextState() == AudioContextState::kClosed) { + // If the context is in a closed state or it really is closed (cleared), + // reject the promise. + if (IsContextClosed()) { resolver->Reject(MakeGarbageCollected( DOMExceptionCode::kInvalidStateError, "cannot resume a closed offline context")); -- cgit v1.2.1