diff options
author | Guido Urdaneta <guidou@chromium.org> | 2020-07-22 18:10:26 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-08-19 12:36:23 +0000 |
commit | e490120c6b63735754b3e8a73173918d7dc40ec5 (patch) | |
tree | 7dfdec06aa7e7032dfc2288b706433c477619dcb | |
parent | cc48de17c5db90ae3ef5eb1c1c9e540ab9c2f7e2 (diff) | |
download | qtwebengine-chromium-e490120c6b63735754b3e8a73173918d7dc40ec5.tar.gz |
[Backport] CVE-2020-6549: Use after free in media
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2312703:
Use copy of source map in MediaElementElementListener::UpdateSources()
Prior to this CL, this function iterated over a source map that could
be modified by a re-entrant call triggered by JS code.
Bug: 1105426
Change-Id: I47e49e4132cba98e12ee7c195720ac9ecc1f485b
Reviewed-by: Marina Ciocea <marinaciocea@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790894}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc b/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc index fa721b21655..ce8319f8e8e 100644 --- a/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc +++ b/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc @@ -129,10 +129,15 @@ void MediaElementEventListener::UpdateSources(ExecutionContext* context) { for (auto track : media_stream_->getTracks()) sources_.insert(track->Component()->Source()); + // Handling of the ended event in JS triggered by DidStopMediaStreamSource() + // may cause a reentrant call to this function, which can modify |sources_|. + // Iterate over a copy of |sources_| to avoid invalidation of the iterator + // when a reentrant call occurs. + auto sources_copy = sources_; if (!media_element_->currentSrc().IsEmpty() && !media_element_->IsMediaDataCORSSameOrigin( context->GetSecurityOrigin())) { - for (auto source : sources_) + for (auto source : sources_copy) MediaStreamCenter::Instance().DidStopMediaStreamSource(source); } } |