diff options
author | Raymond Toy <rtoy@chromium.org> | 2021-05-11 14:35:53 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-11-10 18:18:58 +0000 |
commit | aa041d5236cb8b3bb9b200612959d2d1d86bfbce (patch) | |
tree | 39af37d051669e40d4fb8eca53817f3c7d39d983 | |
parent | aa004024cb5264799cc9ef95d1297ca6ce112c17 (diff) |
[Backport] CVE-2021-30522: Use after free in WebAudio
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2874771:
Add AudioHandler to orphan handlers when context is suspended.
If the context is suspended, pulling of the audio graph is stopped.
But we still need to add the handler in this case so that when the
context is resumed, the handler is still alive until it can be safely
removed. Hence, we must still add the handler if the context is
suspended.
Test cases from issue 1176218 manually tested with no failures. Also
this doesn't cause any regressions in issue 1003807 and issue 1017961.
(Manually tested the test cases from those issues.)
Bug: 1176218
Change-Id: Icd927c488505dfee9ff716866f98286e286d546a
Reviewed-by: Hongchan Choi <hongchan@chromium.org>
Commit-Queue: Raymond Toy <rtoy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#881533}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/modules/webaudio/audio_node.cc | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_node.cc index 9fd87686546..0ad39956d3a 100644 --- a/chromium/third_party/blink/renderer/modules/webaudio/audio_node.cc +++ b/chromium/third_party/blink/renderer/modules/webaudio/audio_node.cc @@ -605,13 +605,13 @@ void AudioNode::Dispose() { BaseAudioContext::GraphAutoLocker locker(context()); Handler().Dispose(); - // Add the handler to the orphan list if the context is pulling on the audio - // graph. This keeps the handler alive until it can be deleted at a safe - // point (in pre/post handler task). If graph isn't being pulled, we can - // delete the handler now since nothing on the audio thread will be touching - // it. + // Add the handler to the orphan list. This keeps the handler alive until it + // can be deleted at a safe point (in pre/post handler task). If the graph is + // being processed, the handler must be added. If the context is suspended, + // the handler still needs to be added in case the context is resumed. DCHECK(context()); - if (context()->IsPullingAudioGraph()) { + if (context()->IsPullingAudioGraph() || + context()->ContextState() == BaseAudioContext::AudioContextState::kSuspended) { context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( std::move(handler_)); } |