Commit 91254d4d authored by Anton Bikineev's avatar Anton Bikineev Committed by Commit Bot

webcodecs: Fix UaF caused by uncleared weakref to VideoDecoder.

This was found by the new checker in blink_gc_plugin.

Bug: 522357
Change-Id: Iba582ffbe39c3f4311fae277c540999ae0350173
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2130271Reviewed-by: default avatarDan Sanders <sandersd@chromium.org>
Reviewed-by: default avatarMichael Lippautz <mlippautz@chromium.org>
Reviewed-by: default avatarKentaro Hara <haraken@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/master@{#755176}
parent cce1b27b
...@@ -110,9 +110,8 @@ VideoDecoder* VideoDecoder::Create(ScriptState* script_state) { ...@@ -110,9 +110,8 @@ VideoDecoder* VideoDecoder::Create(ScriptState* script_state) {
} }
VideoDecoder::VideoDecoder(ScriptState* script_state) VideoDecoder::VideoDecoder(ScriptState* script_state)
: script_state_(script_state), weak_factory_(this) { : script_state_(script_state) {
DVLOG(1) << __func__; DVLOG(1) << __func__;
weak_this_ = weak_factory_.GetWeakPtr();
} }
VideoDecoder::~VideoDecoder() { VideoDecoder::~VideoDecoder() {
...@@ -189,8 +188,9 @@ ScriptPromise VideoDecoder::configure(const EncodedVideoConfig* config, ...@@ -189,8 +188,9 @@ ScriptPromise VideoDecoder::configure(const EncodedVideoConfig* config,
media::VideoColorSpace::REC709(), media::kNoTransformation, media::VideoColorSpace::REC709(), media::kNoTransformation,
gfx::Size(320, 180), gfx::Rect(0, 0, 320, 180), gfx::Size(320, 180), gfx::Size(320, 180), gfx::Rect(0, 0, 320, 180), gfx::Size(320, 180),
media::EmptyExtraData(), media::EncryptionScheme::kUnencrypted), media::EmptyExtraData(), media::EncryptionScheme::kUnencrypted),
false, nullptr, WTF::Bind(&VideoDecoder::OnInitializeDone, weak_this_), false, nullptr,
WTF::BindRepeating(&VideoDecoder::OnOutput, weak_this_), WTF::Bind(&VideoDecoder::OnInitializeDone, WrapWeakPersistent(this)),
WTF::BindRepeating(&VideoDecoder::OnOutput, WrapWeakPersistent(this)),
base::RepeatingCallback<void(media::WaitingReason)>()); base::RepeatingCallback<void(media::WaitingReason)>());
return configure_resolver->Promise(); return configure_resolver->Promise();
...@@ -291,8 +291,9 @@ ScriptPromise VideoDecoder::Write(ScriptValue chunk, ...@@ -291,8 +291,9 @@ ScriptPromise VideoDecoder::Write(ScriptValue chunk,
// TODO(sandersd): Add reentrancy checker; OnDecodeDone() could disturb // TODO(sandersd): Add reentrancy checker; OnDecodeDone() could disturb
// |pending_decodes_|. // |pending_decodes_|.
pending_decodes_++; pending_decodes_++;
decoder_->Decode(std::move(decoder_buffer), decoder_->Decode(
WTF::Bind(&VideoDecoder::OnDecodeDone, weak_this_)); std::move(decoder_buffer),
WTF::Bind(&VideoDecoder::OnDecodeDone, WrapWeakPersistent(this)));
return CreateWritePromise(); return CreateWritePromise();
} }
......
...@@ -86,9 +86,6 @@ class MODULES_EXPORT VideoDecoder final : public ScriptWrappable { ...@@ -86,9 +86,6 @@ class MODULES_EXPORT VideoDecoder final : public ScriptWrappable {
std::unique_ptr<media::VideoDecoder> decoder_; std::unique_ptr<media::VideoDecoder> decoder_;
bool has_error_ = false; bool has_error_ = false;
int pending_decodes_ = 0; int pending_decodes_ = 0;
base::WeakPtr<VideoDecoder> weak_this_;
base::WeakPtrFactory<VideoDecoder> weak_factory_;
}; };
} // namespace blink } // namespace blink
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment