diff options
author | Ted Meyer <tmathmeyer@chromium.org> | 2022-02-23 01:34:20 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2022-06-03 11:39:16 +0000 |
commit | ecc2bb74f1f7140fc52650042299be18e826b27b (patch) | |
tree | 1a8ba9ec0a7dcf9617a0ad1f7f979543819b66c3 /.gitattributes | |
parent | a7a23ccc69e6756e02583e6871cc37151d89a7c2 (diff) |
[Backport] CVE-2022-0796: Use after free in Media
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3482463:
Guard BatchingMediaLog::event_handlers_ with lock
It seems that despite MediaLog::OnWebMediaPlayerDestroyed and
MediaLog::AddLogRecord both grabbing a lock,
BatchingMediaLog::AddLogRecordLocked can escape the lock handle by
posting BatchingMediaLog::SendQueuedMediaEvents, causing a race.
When the addition of an event is interrupted by the deletion of a player
due to player culling in MediaInspectorContextImpl, a UAF can occur.
R=​dalecurtis
(cherry picked from commit 34526c3d0a857a22618e4d77c7f63b5ca6f8d3d2)
Bug: 1295786
Change-Id: I77df94988f806e4d98924669d27860e50455299d
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#970815}
Auto-Submit: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/4758@{#1192}
Cr-Branched-From: 4a2cf4baf90326df19c3ee70ff987960d59a386e-refs/heads/main@{#950365}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to '.gitattributes')
0 files changed, 0 insertions, 0 deletions