[Backport] CVE-2020-6549: Use after free in media

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2312703:
Use copy of source map in MediaElementElementListener::UpdateSources()

Prior to this CL, this function iterated over a source map that could
be modified by a re-entrant call triggered by JS code.

Bug: 1105426
Change-Id: I47e49e4132cba98e12ee7c195720ac9ecc1f485b
Reviewed-by: Marina Ciocea <marinaciocea@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790894}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 6 insertions, 1 deletions

diff --git a/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc b/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc
index fa721b21655..ce8319f8e8e 100644
--- a/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc
+++ b/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc
@@ -129,10 +129,15 @@ void MediaElementEventListener::UpdateSources(ExecutionContext* context) {
   for (auto track : media_stream_->getTracks())
     sources_.insert(track->Component()->Source());
 
+  // Handling of the ended event in JS triggered by DidStopMediaStreamSource()
+  // may cause a reentrant call to this function, which can modify |sources_|.
+  // Iterate over a copy of |sources_| to avoid invalidation of the iterator
+  // when a reentrant call occurs.
+  auto sources_copy = sources_;
   if (!media_element_->currentSrc().IsEmpty() &&
       !media_element_->IsMediaDataCORSSameOrigin(
           context->GetSecurityOrigin())) {
-    for (auto source : sources_)
+    for (auto source : sources_copy)
       MediaStreamCenter::Instance().DidStopMediaStreamSource(source);
   }
 }