[Backport] Security bug 1333333

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3689639:
Add Stop method to BatchingMediaLog

Now that ~MediaLog is posted for a later destruction due to garbage
collector ownership of CodecLogger, it's possible for the
SendQueuedMediaEvents call from ~BatchingMediaLog to reference
InspectorMediaEventHandler::inspector_context_ after it has been freed.

This fix forces BatchingMediaLog to shut down it's logging capabilities
when the destruction call is caused by the garbage collector deletion
phase

R=liberato

Bug: 1333333
Change-Id: I0bdca72a71177c4c5a6a9dc692aad3de4c25f4e2
Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Reviewed-by: Eugene Zemtsov <eugene@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1011247}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

5 files changed, 18 insertions, 1 deletions

diff --git a/chromium/content/renderer/media/batching_media_log.cc b/chromium/content/renderer/media/batching_media_log.cc
index 2d12a5eb42b..b6b21aa1deb 100644
--- a/chromium/content/renderer/media/batching_media_log.cc
+++ b/chromium/content/renderer/media/batching_media_log.cc
@@ -75,6 +75,11 @@ BatchingMediaLog::~BatchingMediaLog() {
     SendQueuedMediaEvents();
 }
 
+void BatchingMediaLog::Stop() {
+  base::AutoLock lock(lock_);
+  event_handlers_.clear();
+}
+
 void BatchingMediaLog::OnWebMediaPlayerDestroyedLocked() {
   base::AutoLock lock(lock_);
   for (const auto& handler : event_handlers_)
diff --git a/chromium/content/renderer/media/batching_media_log.h b/chromium/content/renderer/media/batching_media_log.h
index c59dbf2a2b9..8a2bab9257c 100644
--- a/chromium/content/renderer/media/batching_media_log.h
+++ b/chromium/content/renderer/media/batching_media_log.h
@@ -42,6 +42,8 @@ class CONTENT_EXPORT BatchingMediaLog : public media::MediaLog {
                    std::vector<std::unique_ptr<EventHandler>> impl);
   ~BatchingMediaLog() override;
 
+  void Stop() override;
+
   // Will reset |last_ipc_send_time_| with the value of NowTicks().
   void SetTickClockForTesting(const base::TickClock* tick_clock);
 
diff --git a/chromium/media/base/media_log.cc b/chromium/media/base/media_log.cc
index 6cb08ed64cb..e3f8f22fed1 100644
--- a/chromium/media/base/media_log.cc
+++ b/chromium/media/base/media_log.cc
@@ -48,6 +48,9 @@ std::string MediaLog::GetErrorMessageLocked() {
   return "";
 }
 
+// Default implementation.
+void MediaLog::Stop() {}
+
 void MediaLog::AddMessage(MediaLogMessageLevel level, std::string message) {
   std::unique_ptr<MediaLogRecord> record(
       CreateRecord(MediaLogRecord::Type::kMessage));
diff --git a/chromium/media/base/media_log.h b/chromium/media/base/media_log.h
index 46b52ae5587..2ae821ee11c 100644
--- a/chromium/media/base/media_log.h
+++ b/chromium/media/base/media_log.h
@@ -122,6 +122,10 @@ class MEDIA_EXPORT MediaLog {
   // even if this occurs, in the "won't crash" sense.
   virtual std::unique_ptr<MediaLog> Clone();
 
+  // Can be used for stopping a MediaLog during a garbage-collected destruction
+  // sequence.
+  virtual void Stop();
+
  protected:
   // Ensures only subclasses and factories (e.g. Clone()) can create MediaLog.
   MediaLog();
diff --git a/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc b/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc
index 32698e3778c..c58eb6f6e4c 100644
--- a/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc
+++ b/chromium/third_party/blink/renderer/modules/webcodecs/codec_logger.cc
@@ -70,7 +70,10 @@ CodecLogger::~CodecLogger() {
   // media logs must be posted for destruction, since they can cause the
   // garbage collector to trigger an immediate cleanup and delete the owning
   // instance of |CodecLogger|.
-  task_runner_->DeleteSoon(FROM_HERE, std::move(parent_media_log_));
+  if (parent_media_log_) {
+    parent_media_log_->Stop();
+    task_runner_->DeleteSoon(FROM_HERE, std::move(parent_media_log_));
+  }
 }
 
 void CodecLogger::Neuter() {