diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-06 12:56:18 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-12 07:43:43 +0000 |
commit | 021e3ee70e85ff2efc30a6c46d8b1ec7e42696ca (patch) | |
tree | 6a23421527264e0d2c37cc61f7c68be96214bff3 | |
parent | 5adda98099d631166395b9f3fe6fed39a79edf75 (diff) |
[Backport] CVE-2018-16072
Fix HasSingleSecurityOrigin for HLS
HLS manifests can request segments from a different origin than the
original manifest's origin. We do not inspect HLS manifests within
Chromium, and instead delegate to Android's MediaPlayer. This means we
need to be conservative, and always assume segments might come from a
different origin. HasSingleSecurityOrigin should always return false
when decoding HLS.
Bug: 864283
Change-Id: I264048280792ce39e7f0938f677ee12d301688b6
Reviewed-on: https://chromium-review.googlesource.com/1142691
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/media/blink/webmediaplayer_impl.cc | 8 | ||||
-rw-r--r-- | chromium/media/blink/webmediaplayer_impl.h | 5 |
2 files changed, 13 insertions, 0 deletions
diff --git a/chromium/media/blink/webmediaplayer_impl.cc b/chromium/media/blink/webmediaplayer_impl.cc index 8628760d4d0..590b94b4f16 100644 --- a/chromium/media/blink/webmediaplayer_impl.cc +++ b/chromium/media/blink/webmediaplayer_impl.cc @@ -1110,6 +1110,12 @@ bool WebMediaPlayerImpl::DidGetOpaqueResponseFromServiceWorker() const { } bool WebMediaPlayerImpl::HasSingleSecurityOrigin() const { + if (demuxer_found_hls_) { + // HLS manifests might pull segments from a different origin. We can't know + // for sure, so we conservatively say no here. + return false; + } + if (data_source_) return data_source_->HasSingleOrigin(); return true; @@ -1472,6 +1478,8 @@ void WebMediaPlayerImpl::OnError(PipelineStatus status) { #if defined(OS_ANDROID) if (status == PipelineStatus::DEMUXER_ERROR_DETECTED_HLS) { + demuxer_found_hls_ = true; + renderer_factory_selector_->SetUseMediaPlayer(true); pipeline_controller_.Stop(); diff --git a/chromium/media/blink/webmediaplayer_impl.h b/chromium/media/blink/webmediaplayer_impl.h index a107e2d3d87..441201f0b74 100644 --- a/chromium/media/blink/webmediaplayer_impl.h +++ b/chromium/media/blink/webmediaplayer_impl.h @@ -758,6 +758,11 @@ class MEDIA_BLINK_EXPORT WebMediaPlayerImpl // removing |cast_impl_|. bool using_media_player_renderer_ = false; + // Set whenever the demuxer encounters an HLS file. + // This flag is distinct from |using_media_player_renderer_|, because on older + // devices we might use MediaPlayerRenderer for non HLS playback. + bool demuxer_found_hls_ = false; + // Called sometime after the media is suspended in a playing state in // OnFrameHidden(), causing the state to change to paused. base::OneShotTimer background_pause_timer_; |