[Backport] CVE-2021-21114: Use after free in audio

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2575418:
Clear handlers when the base context goes away.

Previously, in BaseAudioContext::Clear() we called
GetDeferredTaskHandler().ClearHandlersToBeDeleted().  But this was
also called in DeferredTaskHandler::ContextWillBeDestroyed(), which is
called in BaseAudioContext::~BaseAudioContext().

There's no need to call this twice while handling the audio context
going away.

Manually verified that the tests from issue 1125635 and 1153658 work,
and the deadlock in issue 1136571 is gone.

(cherry picked from commit d866af575997f2b9c0476be5c58c09b7b7885c4e)

Bug: 1150065, 1153658
Change-Id: Iee15c31dc637bf82d66bfd79d5238b1f80813153
Commit-Queue: Raymond Toy <rtoy@chromium.org>
Reviewed-by: Hongchan Choi <hongchan@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#834265}
Reviewed-by: Raymond Toy <rtoy@chromium.org>
Cr-Commit-Position: refs/branch-heads/4280@{#2004}
Cr-Branched-From: ea420fb963f9658c9969b6513c56b8f47efa1a2a-refs/heads/master@{#812852}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 2 insertions, 3 deletions

diff --git a/chromium/third_party/blink/renderer/modules/webaudio/base_audio_context.cc b/chromium/third_party/blink/renderer/modules/webaudio/base_audio_context.cc
index 21a3d73361c..a2375e984c6 100644
--- a/chromium/third_party/blink/renderer/modules/webaudio/base_audio_context.cc
+++ b/chromium/third_party/blink/renderer/modules/webaudio/base_audio_context.cc
@@ -136,9 +136,8 @@ void BaseAudioContext::Initialize() {
 
 void BaseAudioContext::Clear() {
   destination_node_.Clear();
-  // The audio rendering thread is dead.  Nobody will schedule AudioHandler
-  // deletion.  Let's do it ourselves.
-  GetDeferredTaskHandler().ClearHandlersToBeDeleted();
+  // Make a note that we've cleared out the context so that there's no pending
+  // activity.
   is_cleared_ = true;
 }