diff options
| author | Ted Meyer <tmathmeyer@chromium.org> | 2022-06-06 21:18:48 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-07-25 14:23:14 +0000 |
| commit | 7fa00e209d0d875b58bd1d4dc845c340d2bade26 (patch) | |
| tree | 47855800d3be8a0f2bbcee4ac787360e51185f99 | |
| parent | 4910f9068c2a8c0ba2f83401f542d637c1bfc04a (diff) | |
| download | qtwebengine-chromium-7fa00e209d0d875b58bd1d4dc845c340d2bade26.tar.gz | |
[Backport] Dependency for security bug 1333333
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3691325:
Post media log destruction to avoid destruction
SendQueuedMediaEvents is able to tickle oilpan just enough to cause
the owning BatchingMediaLog to be destroyed in the middle of executing,
causing a UAF.
(cherry picked from commit 57e905d0943695fb96a1a1a251382d15a9b2fee1)
Bug: 1317714
Change-Id: Iac2f32aee70eee183be279b372beb2ff39e6c5a0
Reviewed-by: Frank Liberato <liberato@chromium.org>
Auto-Submit: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Reviewed-by: Thomas Guilbert <tguilbert@chromium.org>
Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1009670}
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Dan Sanders <sandersd@chromium.org>
Cr-Commit-Position: refs/branch-heads/5005@{#1126}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc | 6 | ||||
| -rw-r--r-- | chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.h | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc b/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc index 257f84f195b..32698e3778c 100644 --- a/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc +++ b/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc @@ -37,6 +37,8 @@ CodecLogger::CodecLogger( // This allows us to destroy |parent_media_log_| and stop logging, // without causing problems to |media_log_| users. media_log_ = parent_media_log_->Clone(); + + task_runner_ = task_runner; } DOMException* CodecLogger::MakeException(std::string error_msg, @@ -65,6 +67,10 @@ DOMException* CodecLogger::MakeException(std::string error_msg, CodecLogger::~CodecLogger() { DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); + // media logs must be posted for destruction, since they can cause the + // garbage collector to trigger an immediate cleanup and delete the owning + // instance of |CodecLogger|. + task_runner_->DeleteSoon(FROM_HERE, std::move(parent_media_log_)); } void CodecLogger::Neuter() { diff --git a/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.h b/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.h index 0329c6e6ef9..843b7b727cf 100644 --- a/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.h +++ b/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.h @@ -74,6 +74,9 @@ class MODULES_EXPORT CodecLogger final { // can be safely accessed, and whose raw pointer can be given callbacks. std::unique_ptr<media::MediaLog> media_log_; + // Keep task runner around for posting the media log to upon destruction. + scoped_refptr<base::SingleThreadTaskRunner> task_runner_; + SEQUENCE_CHECKER(sequence_checker_); }; |