Use-after-poison in blink::RTCPeerConnectionHandler::OnaddICECandidateResult

This CL fixes the clusterfuzz issues reported (see "Fixed" below) by using WTF::Bind and WrapPersistent in RTCPeerConnectionHandler::AddICECandidate. This is a regression from crrev.com/c/1899786, where code used to have a WebRTCVoidRequest wrapping RTCVoidRequest instances (garbage collected). Now that RTCVoidRequest is used directly, we need to properly wrap-persist its instances with WTF::WrapPersistent when passing it to callbacks. Reason: With Oilpan and WTF::Bind, raw pointers of garbage collected objects are not allowed. Fixed:1021919 R=haraken@chromium.org Change-Id: If9128d73f288bf0e39495effd8e33779a81cc0a2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1901726 Commit-Queue: Antonio Gomes <tonikitoo@igalia.com> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Auto-Submit: Antonio Gomes <tonikitoo@igalia.com> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#713152}

Use-after-poison in blink::RTCPeerConnectionHandler::OnaddICECandidateResult
This CL fixes the clusterfuzz issues reported (see "Fixed" below) by using WTF::Bind and WrapPersistent in RTCPeerConnectionHandler::AddICECandidate. This is a regression from crrev.com/c/1899786, where code used to have a WebRTCVoidRequest wrapping RTCVoidRequest instances (garbage collected). Now that RTCVoidRequest is used directly, we need to properly wrap-persist its instances with WTF::WrapPersistent when passing it to callbacks. Reason: With Oilpan and WTF::Bind, raw pointers of garbage collected objects are not allowed. Fixed:1021919 R=haraken@chromium.org Change-Id: If9128d73f288bf0e39495effd8e33779a81cc0a2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1901726 Commit-Queue: Antonio Gomes <tonikitoo@igalia.com> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Auto-Submit: Antonio Gomes <tonikitoo@igalia.com> Reviewed-by: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#713152}
55c1c069 · Antonio Gomes · Commit Bot · 395bf03e · 55c1c069
Commit 55c1c069 authored Nov 06, 2019 by Antonio Gomes Committed by Commit Bot Nov 06, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc ...rer/modules/peerconnection/rtc_peer_connection_handler.cc +2 -2

No files found.
--- a/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc
+++ b/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc
@@ -1571,8 +1571,8 @@ bool RTCPeerConnectionHandler::AddICECandidate(
  bool result = AddICECandidate(std::move(candidate));
  task_runner_->PostTask(
      FROM_HERE,
-      base::BindOnce(&RTCPeerConnectionHandler::OnaddICECandidateResult,
+      WTF::Bind(&RTCPeerConnectionHandler::OnaddICECandidateResult,
-                     weak_factory_.GetWeakPtr(), request, result));
+                weak_factory_.GetWeakPtr(), WrapPersistent(request), result));
  // On failure callback will be triggered.
  return true;
 }