-
Notifications
You must be signed in to change notification settings - Fork 15k
/
post_media_log_destruction_to_avoid_destruction.patch
64 lines (55 loc) · 3.06 KB
/
post_media_log_destruction_to_avoid_destruction.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Rose <japthorp@slack-corp.com>
Date: Tue, 28 Jun 2022 14:36:57 -0700
Subject: Post media log destruction to avoid destruction
SendQueuedMediaEvents is able to tickle oilpan just enough to cause
the owning BatchingMediaLog to be destroyed in the middle of executing,
causing a UAF.
(cherry picked from commit 57e905d0943695fb96a1a1a251382d15a9b2fee1)
Bug: 1317714
Change-Id: Iac2f32aee70eee183be279b372beb2ff39e6c5a0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3682060
Reviewed-by: Frank Liberato <liberato@chromium.org>
Auto-Submit: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Reviewed-by: Thomas Guilbert <tguilbert@chromium.org>
Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1009670}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3691325
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Dan Sanders <sandersd@chromium.org>
Cr-Commit-Position: refs/branch-heads/5005@{#1126}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
diff --git a/third_party/blink/renderer/modules/webcodecs/codec_logger.cc b/third_party/blink/renderer/modules/webcodecs/codec_logger.cc
index 257f84f195b4d637445c58bf92a82a3a83836d84..32698e3778ca40b2e0ef26f020269f9a2b0f9cb9 100644
--- a/third_party/blink/renderer/modules/webcodecs/codec_logger.cc
+++ b/third_party/blink/renderer/modules/webcodecs/codec_logger.cc
@@ -37,6 +37,8 @@ CodecLogger::CodecLogger(
// This allows us to destroy |parent_media_log_| and stop logging,
// without causing problems to |media_log_| users.
media_log_ = parent_media_log_->Clone();
+
+ task_runner_ = task_runner;
}
DOMException* CodecLogger::MakeException(std::string error_msg,
@@ -65,6 +67,10 @@ DOMException* CodecLogger::MakeException(std::string error_msg,
CodecLogger::~CodecLogger() {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+ // media logs must be posted for destruction, since they can cause the
+ // garbage collector to trigger an immediate cleanup and delete the owning
+ // instance of |CodecLogger|.
+ task_runner_->DeleteSoon(FROM_HERE, std::move(parent_media_log_));
}
void CodecLogger::Neuter() {
diff --git a/third_party/blink/renderer/modules/webcodecs/codec_logger.h b/third_party/blink/renderer/modules/webcodecs/codec_logger.h
index 0329c6e6ef9fa05524a685fb46b274f811672185..843b7b727cf3d30282c438ad83f82277d8849ae7 100644
--- a/third_party/blink/renderer/modules/webcodecs/codec_logger.h
+++ b/third_party/blink/renderer/modules/webcodecs/codec_logger.h
@@ -74,6 +74,9 @@ class MODULES_EXPORT CodecLogger final {
// can be safely accessed, and whose raw pointer can be given callbacks.
std::unique_ptr<media::MediaLog> media_log_;
+ // Keep task runner around for posting the media log to upon destruction.
+ scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
+
SEQUENCE_CHECKER(sequence_checker_);
};