diff options
author | Guido Urdaneta <guidou@chromium.org> | 2020-07-22 18:10:26 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-08-11 14:48:58 +0000 |
commit | d2f5e4d3a25b3668362015ddba4f3b5932ed200f (patch) | |
tree | 93512e2e9326009d962dcc90c70e859b203039c5 | |
parent | 69a85eaabf20737316564411a66aa8d497e83135 (diff) | |
download | qtwebengine-chromium-d2f5e4d3a25b3668362015ddba4f3b5932ed200f.tar.gz |
[Backport] CVE-2020-6549: Use after free in media
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2312703:
Use copy of source map in MediaElementElementListener::UpdateSources()
Prior to this CL, this function iterated over a source map that could
be modified by a re-entrant call triggered by JS code.
Bug: 1105426
Change-Id: I47e49e4132cba98e12ee7c195720ac9ecc1f485b
Reviewed-by: Marina Ciocea <marinaciocea@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790894}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc b/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc index a24f912ad07..c6314cd9f3a 100644 --- a/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc +++ b/chromium/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc @@ -240,9 +240,14 @@ void MediaElementEventListener::UpdateSources(ExecutionContext* context) { for (auto track : media_stream_->getTracks()) sources_.insert(track->Component()->Source()); + // Handling of the ended event in JS triggered by DidStopMediaStreamSource() + // may cause a reentrant call to this function, which can modify |sources_|. + // Iterate over a copy of |sources_| to avoid invalidation of the iterator + // when a reentrant call occurs. + auto sources_copy = sources_; if (!media_element_->currentSrc().IsEmpty() && !media_element_->IsMediaDataCorsSameOrigin()) { - for (auto source : sources_) + for (auto source : sources_copy) DidStopMediaStreamSource(source.Get()); } } |