Ensure TtsHandler removes itself as an UtteranceEventDelegate on destruction

Mostly speculative to fix crash (enclosed in bug). Could not reproduce. From the stack, it looks like TtsHandler::HandlePreviewTtsVoice gets called. This results in sending an utterance, with TtsHandler as a delegate. TtsHandler never removes itself as a delegate, if the utterance is alive, but TtsHandler gets destroyed. Any calls to TtsUtterance::OnTtsEvent would deref a deallocated TtsHandler (uaf). It's not quite what occurs in the stack, but the above seems like an issue. R=katie@chromium.org Fixed: 1038277 Change-Id: Iffda2304c9d2f88f58af51accebf738bfbc39181 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2210004Reviewed-by: dpapad <dpapad@chromium.org> Reviewed-by: Katie Dektar <katie@chromium.org> Commit-Queue: dpapad <dpapad@chromium.org> Commit-Queue: David Tseng <dtseng@chromium.org> Auto-Submit: David Tseng <dtseng@chromium.org> Cr-Commit-Position: refs/heads/master@{#771977}

Ensure TtsHandler removes itself as an UtteranceEventDelegate on destruction
Mostly speculative to fix crash (enclosed in bug). Could not reproduce. From the stack, it looks like TtsHandler::HandlePreviewTtsVoice gets called. This results in sending an utterance, with TtsHandler as a delegate. TtsHandler never removes itself as a delegate, if the utterance is alive, but TtsHandler gets destroyed. Any calls to TtsUtterance::OnTtsEvent would deref a deallocated TtsHandler (uaf). It's not quite what occurs in the stack, but the above seems like an issue. R=katie@chromium.org Fixed: 1038277 Change-Id: Iffda2304c9d2f88f58af51accebf738bfbc39181 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2210004Reviewed-by: dpapad <dpapad@chromium.org> Reviewed-by: Katie Dektar <katie@chromium.org> Commit-Queue: dpapad <dpapad@chromium.org> Commit-Queue: David Tseng <dtseng@chromium.org> Auto-Submit: David Tseng <dtseng@chromium.org> Cr-Commit-Position: refs/heads/master@{#771977}
8f318f60 · David Tseng · Commit Bot · dfc2af94 · 8f318f60 · 8f318f60
Commit 8f318f60 authored May 26, 2020 by David Tseng Committed by Commit Bot May 26, 2020
Showing with 8 additions and 3 deletions

chrome/browser/ui/webui/settings/tts_handler.cc chrome/browser/ui/webui/settings/tts_handler.cc +7 -3

chrome/browser/ui/webui/settings/tts_handler.h chrome/browser/ui/webui/settings/tts_handler.h +1 -0

No files found.
--- a/chrome/browser/ui/webui/settings/tts_handler.cc
+++ b/chrome/browser/ui/webui/settings/tts_handler.cc
@@ -28,7 +28,7 @@ namespace settings {
 TtsHandler::TtsHandler() {}

 TtsHandler::~TtsHandler() {
-  content::TtsController::GetInstance()->RemoveVoicesChangedDelegate(this);
+  RemoveTtsControllerDelegates();
 }

 void TtsHandler::HandleGetAllTtsVoiceData(const base::ListValue* args) {
@@ -176,8 +176,7 @@ void TtsHandler::OnJavascriptAllowed() {
 }

 void TtsHandler::OnJavascriptDisallowed() {
-  content::TtsController::GetInstance()->RemoveVoicesChangedDelegate(this);
-  content::TtsController::GetInstance()->RemoveUtteranceEventDelegate(this);
+  RemoveTtsControllerDelegates();
 }

 int TtsHandler::GetVoiceLangMatchScore(const content::VoiceData* voice,
@@ -205,4 +204,9 @@ void TtsHandler::OnTtsEngineAwake(bool success) {
  OnVoicesChanged();
 }

+void TtsHandler::RemoveTtsControllerDelegates() {
+  content::TtsController::GetInstance()->RemoveVoicesChangedDelegate(this);
+  content::TtsController::GetInstance()->RemoveUtteranceEventDelegate(this);
+}
+
 }  // namespace settings
--- a/chrome/browser/ui/webui/settings/tts_handler.h
+++ b/chrome/browser/ui/webui/settings/tts_handler.h
@@ -45,6 +45,7 @@ class TtsHandler : public SettingsPageUIHandler,
  void OnTtsEngineAwake(bool success);
  int GetVoiceLangMatchScore(const content::VoiceData* voice,
                             const std::string& app_locale);
+  void RemoveTtsControllerDelegates();

  base::WeakPtrFactory<TtsHandler> weak_factory_{this};