[Backport] CVE-2021-21119: Use after free in Media

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2606399:
MediaCapabilities: Use threadsafe static wtf::String

This replaces DEFINE_THREAD_SAFE_STATIC_LOCAL(const String, ...).
StringImpl ref counting (behind that macro) is not currently threadsafe.

(cherry picked from commit f9add3b8e53c440129f7be4a181a22c440e856bc)

Bug: 1160534
Change-Id: I70f4aa796aaefabbee36db4fcdf0fbf0defe4959
Commit-Queue: Chrome Cunningham <chcunningham@chromium.org>
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Auto-Submit: Chrome Cunningham <chcunningham@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#839863}
Reviewed-by: Chrome Cunningham <chcunningham@chromium.org>
Cr-Commit-Position: refs/branch-heads/4324@{#1460}
Cr-Branched-From: c73b5a651d37a6c4d0b8e3262cc4015a5579c6c8-refs/heads/master@{#827102}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

5 files changed, 31 insertions, 9 deletions

diff --git a/chromium/third_party/blink/renderer/modules/BUILD.gn b/chromium/third_party/blink/renderer/modules/BUILD.gn
index e167288c364..3d16fe9b8e3 100644
--- a/chromium/third_party/blink/renderer/modules/BUILD.gn
+++ b/chromium/third_party/blink/renderer/modules/BUILD.gn
@@ -34,12 +34,18 @@ config("modules_implementation") {
   }
 }
 
-make_names("module_names") {
+make_names("indexed_db_names") {
   in_files = [ "indexeddb/indexed_db_names.json5" ]
   output_dir = blink_modules_output_dir
   deps = []  # Don't use default deps (otherwise it will be circular).
 }
 
+make_names("media_capabilities_names") {
+  in_files = [ "media_capabilities/media_capabilities_names.json5" ]
+  output_dir = blink_modules_output_dir
+  deps = []  # Don't use default deps (otherwise it will be circular).
+}
+
 target("jumbo_" + modules_target_type, "modules") {
   output_name = "blink_modules"
 
@@ -59,8 +65,9 @@ target("jumbo_" + modules_target_type, "modules") {
     "modules_initializer.h",
   ]
 
-  # Compile sources generated by module_names script.
-  sources += get_target_outputs(":module_names")
+  # Compile sources generated by make_names script.
+  sources += get_target_outputs(":indexed_db_names")
+  sources += get_target_outputs(":media_capabilities_names")
 
   sources += bindings_modules_v8_files
   sources += rebase_path(
@@ -81,8 +88,9 @@ target("jumbo_" + modules_target_type, "modules") {
   ]
 
   deps = [
+    ":indexed_db_names",
     ":make_modules_generated",
-    ":module_names",
+    ":media_capabilities_names",
     "//third_party/blink/renderer/bindings/modules:generated",
     "//third_party/blink/renderer/bindings/modules/v8:bindings_modules_impl",
     "//third_party/blink/renderer/bindings/modules/v8:bindings_modules_origin_trial_features",
@@ -218,7 +226,8 @@ jumbo_source_set("modules_testing") {
 
 group("make_modules_generated") {
   public_deps = [
-    ":module_names",
+    ":indexed_db_names",
+    ":media_capabilities_names",
     "//third_party/blink/renderer/bindings/modules:bindings_modules_generated",
     "//third_party/blink/renderer/core:core_event_interfaces",
   ]
diff --git a/chromium/third_party/blink/renderer/modules/media_capabilities/DEPS b/chromium/third_party/blink/renderer/modules/media_capabilities/DEPS
index 6bbc35c4180..db8ee0a01b3 100644
--- a/chromium/third_party/blink/renderer/modules/media_capabilities/DEPS
+++ b/chromium/third_party/blink/renderer/modules/media_capabilities/DEPS
@@ -1,4 +1,5 @@
 include_rules = [
     "-third_party/blink/renderer/modules",
     "+third_party/blink/renderer/modules/media_capabilities",
+    "+third_party/blink/renderer/modules/media_capabilities_names.h",
 ]
diff --git a/chromium/third_party/blink/renderer/modules/media_capabilities/media_capabilities.cc b/chromium/third_party/blink/renderer/modules/media_capabilities/media_capabilities.cc
index 503294aafe3..08241789b3c 100644
--- a/chromium/third_party/blink/renderer/modules/media_capabilities/media_capabilities.cc
+++ b/chromium/third_party/blink/renderer/modules/media_capabilities/media_capabilities.cc
@@ -21,6 +21,7 @@
 #include "third_party/blink/renderer/modules/media_capabilities/media_configuration.h"
 #include "third_party/blink/renderer/modules/media_capabilities/media_decoding_configuration.h"
 #include "third_party/blink/renderer/modules/media_capabilities/media_encoding_configuration.h"
+#include "third_party/blink/renderer/modules/media_capabilities_names.h"
 #include "third_party/blink/renderer/platform/bindings/script_state.h"
 #include "third_party/blink/renderer/platform/bindings/v8_throw_exception.h"
 #include "third_party/blink/renderer/platform/network/parsed_content_type.h"
@@ -116,9 +117,9 @@ WebAudioConfiguration ToWebAudioConfiguration(
   DCHECK(parsed_content_type.IsValid());
   DCHECK(!parsed_content_type.GetParameters().HasDuplicatedNames());
 
-  DEFINE_STATIC_LOCAL(const String, codecs, ("codecs"));
   web_configuration.mime_type = parsed_content_type.MimeType().LowerASCII();
-  web_configuration.codec = parsed_content_type.ParameterValueForName(codecs);
+  web_configuration.codec = parsed_content_type.ParameterValueForName(
+      MediaCapabilitiesNames::codecs);
 
   // |channels| is optional and will be set to a null WebString if not present.
   web_configuration.channels = configuration.hasChannels()
@@ -144,9 +145,9 @@ WebVideoConfiguration ToWebVideoConfiguration(
   DCHECK(parsed_content_type.IsValid());
   DCHECK(!parsed_content_type.GetParameters().HasDuplicatedNames());
 
-  DEFINE_STATIC_LOCAL(const String, codecs, ("codecs"));
   web_configuration.mime_type = parsed_content_type.MimeType().LowerASCII();
-  web_configuration.codec = parsed_content_type.ParameterValueForName(codecs);
+  web_configuration.codec = parsed_content_type.ParameterValueForName(
+      MediaCapabilitiesNames::codecs);
 
   DCHECK(configuration.hasWidth());
   web_configuration.width = configuration.width();
diff --git a/chromium/third_party/blink/renderer/modules/media_capabilities/media_capabilities_names.json5 b/chromium/third_party/blink/renderer/modules/media_capabilities/media_capabilities_names.json5
new file mode 100644
index 00000000000..a2e65f86e09
--- /dev/null
+++ b/chromium/third_party/blink/renderer/modules/media_capabilities/media_capabilities_names.json5
@@ -0,0 +1,9 @@
+{
+  metadata: {
+    namespace: "MediaCapabilities",
+  },
+
+  data: [
+    "codecs",
+  ],
+}
diff --git a/chromium/third_party/blink/renderer/modules/modules_initializer.cc b/chromium/third_party/blink/renderer/modules/modules_initializer.cc
index 690c337d13d..af4e677ff10 100644
--- a/chromium/third_party/blink/renderer/modules/modules_initializer.cc
+++ b/chromium/third_party/blink/renderer/modules/modules_initializer.cc
@@ -59,6 +59,7 @@
 #include "third_party/blink/renderer/modules/indexeddb/inspector_indexed_db_agent.h"
 #include "third_party/blink/renderer/modules/installation/installation_service_impl.h"
 #include "third_party/blink/renderer/modules/installedapp/installed_app_controller.h"
+#include "third_party/blink/renderer/modules/media_capabilities_names.h"
 #include "third_party/blink/renderer/modules/media_controls/media_controls_impl.h"
 #include "third_party/blink/renderer/modules/mediastream/user_media_client.h"
 #include "third_party/blink/renderer/modules/mediastream/user_media_controller.h"
@@ -108,6 +109,7 @@ void ModulesInitializer::Initialize() {
   Document::RegisterEventFactory(EventModulesFactory::Create());
   ModuleBindingsInitializer::Init();
   IndexedDBNames::init();
+  MediaCapabilitiesNames::init();
   AXObjectCache::Init(AXObjectCacheImpl::Create);
   DraggedIsolatedFileSystem::Init(
       DraggedIsolatedFileSystemImpl::PrepareForDataObject);