Android: Add null checks in SpeechRecognitionImpl

This CL is a speculative fix that adds null checks against the native pointer before calling into native layer. The native pointer gets nulled out when the native object is destroyed, so this can help avoid potential UAF. Bug: 1131346 Change-Id: Ie27dc55f308d64638ff09b5bcdbeb53ef2f8edde Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2483740Reviewed-by: Primiano Tucci <primiano@chromium.org> Commit-Queue: Jinsuk Kim <jinsukkim@chromium.org> Cr-Commit-Position: refs/heads/master@{#819658}

Android: Add null checks in SpeechRecognitionImpl
This CL is a speculative fix that adds null checks against the native pointer before calling into native layer. The native pointer gets nulled out when the native object is destroyed, so this can help avoid potential UAF. Bug: 1131346 Change-Id: Ie27dc55f308d64638ff09b5bcdbeb53ef2f8edde Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2483740Reviewed-by: Primiano Tucci <primiano@chromium.org> Commit-Queue: Jinsuk Kim <jinsukkim@chromium.org> Cr-Commit-Position: refs/heads/master@{#819658}
3790f1e6 · Jinsuk Kim · Commit Bot · f30472af · 3790f1e6
Commit 3790f1e6 authored Oct 22, 2020 by Jinsuk Kim Committed by Commit Bot Oct 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

content/public/android/java/src/org/chromium/content/browser/SpeechRecognitionImpl.java ...c/org/chromium/content/browser/SpeechRecognitionImpl.java +7 -0

No files found.
--- a/content/public/android/java/src/org/chromium/content/browser/SpeechRecognitionImpl.java
+++ b/content/public/android/java/src/org/chromium/content/browser/SpeechRecognitionImpl.java
@@ -70,6 +70,8 @@ public class SpeechRecognitionImpl {

        @Override
        public void onBeginningOfSpeech() {
+            if (mNativeSpeechRecognizerImplAndroid == 0) return;
+
            mState = STATE_CAPTURING_SPEECH;
            SpeechRecognitionImplJni.get().onSoundStart(
                    mNativeSpeechRecognizerImplAndroid, SpeechRecognitionImpl.this);
@@ -86,6 +88,7 @@ public class SpeechRecognitionImpl {
            // equivalent (onsoundend) event. Thus, the only way to provide a valid onsoundend
            // event is to trigger it when the last result is received or the session is aborted.
            if (!mContinuous) {
+                if (mNativeSpeechRecognizerImplAndroid == 0) return;
                SpeechRecognitionImplJni.get().onSoundEnd(
                        mNativeSpeechRecognizerImplAndroid, SpeechRecognitionImpl.this);
                // Since Android doesn't have a dedicated event for when audio capture is finished,
@@ -141,6 +144,8 @@ public class SpeechRecognitionImpl {

        @Override
        public void onReadyForSpeech(Bundle bundle) {
+            if (mNativeSpeechRecognizerImplAndroid == 0) return;
+
            mState = STATE_AWAITING_SPEECH;
            SpeechRecognitionImplJni.get().onAudioStart(
                    mNativeSpeechRecognizerImplAndroid, SpeechRecognitionImpl.this);
@@ -159,6 +164,8 @@ public class SpeechRecognitionImpl {
        public void onRmsChanged(float rms) { }

        private void handleResults(Bundle bundle, boolean provisional) {
+            if (mNativeSpeechRecognizerImplAndroid == 0) return;
+
            if (mContinuous && provisional) {
                // In continuous mode, Android's recognizer sends final results as provisional.
                provisional = false;