Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: cherry-pick 4c57222340cf from chromium #23009

Merged
merged 6 commits into from Apr 9, 2020

Conversation

nornagon
Copy link
Member

@nornagon nornagon commented Apr 8, 2020

Make finished_source_handlers_ hold scoped_refptrs

Previously, finished_source_handlers_ held raw pointers to
AudioHandlers and assumed that active_source_handlers_ also had a
copy. But when the context goes away, active_source_handlers_ would
be cleared, but not finished_source_handlers_, leaving pointers to
deleted objects.

So do two things:

  1. Change finished_source_handlers_ to hold scoped_refptrs to manage
    lifetime of the objects
  2. Clear finished_source_handler_ in ClearHandlersToBeDeleted()

Either of these fix the repro case, but let's do both. Don't want to
leaving dangling objects.

Manually tested the repro case which no longer reproduces.

Bug: 1059686
Change-Id: I2f30c996e8589fa5c3890d32500c4bb4f3bc4286
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2098260
Reviewed-by: Hongchan Choi hongchan@chromium.org
Commit-Queue: Raymond Toy rtoy@chromium.org
Cr-Commit-Position: refs/heads/master@{#749302}

Notes: Security: backported fix for CVE-2020-6449: Use after free in audio.

@nornagon nornagon requested a review from a team as a code owner April 8, 2020 00:36
@nornagon nornagon added 7-2-x backport-check-skip Skip trop's backport validity checking labels Apr 8, 2020
@electron-cation electron-cation bot added new-pr 🌱 PR opened in the last 24 hours and removed new-pr 🌱 PR opened in the last 24 hours labels Apr 8, 2020
@deepak1556
Copy link
Member

Build needs to be fixed.

@nornagon
Copy link
Member Author

nornagon commented Apr 9, 2020

Should wait for #23013

@nornagon nornagon merged commit 9c92d87 into 7-2-x Apr 9, 2020
@release-clerk
Copy link

release-clerk bot commented Apr 9, 2020

Release Notes Persisted

Security: backported fix for CVE-2020-6449: Use after free in audio.

@nornagon nornagon deleted the cherry-pick/7-2-x/chromium/4c57222340cf branch April 9, 2020 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
7-2-x backport-check-skip Skip trop's backport validity checking
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants