Bad-cast to blink::RTCVoidRequest from invalid vptr in blink::OnReplaceTrackCompleted

This CL fixes the clusterfuzz issues reported (see "Fixed" below) by using WTF::Bind and WrapPersistent in RTCRtpSenderImpl::ReplaceTrack. This is a regression from crrev.com/c/1899786, where code used to have a WebRTCVoidRequest wrapping RTCVoidRequest instances (garbage collected). Now that RTCVoidRequest is used directly, we need to properly wrap-persist its instances with WTF::WrapPersistent when passing it to callbacks. Reason: With Oilpan and WTF::Bind, raw pointers of garbage collected objects are not allowed. Fixed:1022558 R=hbos@chormium.org, jbroman@chromium.org Change-Id: I8f0fcf7275c9e07240e3b2e20f89c4cf96c72439 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1906506 Commit-Queue: Antonio Gomes <tonikitoo@igalia.com> Commit-Queue: Henrik Boström <hbos@chromium.org> Reviewed-by: Henrik Boström <hbos@chromium.org> Cr-Commit-Position: refs/heads/master@{#713853}

Bad-cast to blink::RTCVoidRequest from invalid vptr in blink::OnReplaceTrackCompleted
This CL fixes the clusterfuzz issues reported (see "Fixed" below) by using WTF::Bind and WrapPersistent in RTCRtpSenderImpl::ReplaceTrack. This is a regression from crrev.com/c/1899786, where code used to have a WebRTCVoidRequest wrapping RTCVoidRequest instances (garbage collected). Now that RTCVoidRequest is used directly, we need to properly wrap-persist its instances with WTF::WrapPersistent when passing it to callbacks. Reason: With Oilpan and WTF::Bind, raw pointers of garbage collected objects are not allowed. Fixed:1022558 R=hbos@chormium.org, jbroman@chromium.org Change-Id: I8f0fcf7275c9e07240e3b2e20f89c4cf96c72439 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1906506 Commit-Queue: Antonio Gomes <tonikitoo@igalia.com> Commit-Queue: Henrik Boström <hbos@chromium.org> Reviewed-by: Henrik Boström <hbos@chromium.org> Cr-Commit-Position: refs/heads/master@{#713853}
a5063e64 · Antonio Gomes · Commit Bot · c7b7114a · a5063e64
Commit a5063e64 authored Nov 08, 2019 by Antonio Gomes Committed by Commit Bot Nov 08, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

third_party/blink/renderer/modules/peerconnection/rtc_rtp_sender_impl.cc ...nk/renderer/modules/peerconnection/rtc_rtp_sender_impl.cc +3 -2

No files found.
--- a/third_party/blink/renderer/modules/peerconnection/rtc_rtp_sender_impl.cc
+++ b/third_party/blink/renderer/modules/peerconnection/rtc_rtp_sender_impl.cc
@@ -453,8 +453,9 @@ blink::WebVector<blink::WebString> RTCRtpSenderImpl::StreamIds() const {
 void RTCRtpSenderImpl::ReplaceTrack(blink::WebMediaStreamTrack with_track,
                                    blink::RTCVoidRequest* request) {
-  internal_->ReplaceTrack(std::move(with_track),
+  internal_->ReplaceTrack(
-                          base::BindOnce(&OnReplaceTrackCompleted, request));
+      std::move(with_track),
+      WTF::Bind(&OnReplaceTrackCompleted, WrapPersistent(request)));
 }
 std::unique_ptr<blink::RtcDtmfSenderHandler> RTCRtpSenderImpl::GetDtmfSender()