Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2112)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/renderer/media/webaudio_capturer_source.cc

Issue 1071063005: Fix heap-use-after-free issue with WebAudioCapturerSource. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Add thread check to WebAudioCapturerSourcer destructor Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « content/renderer/media/webaudio_capturer_source.h ('k') | content/renderer/media/webrtc/peer_connection_dependency_factory.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/renderer/media/webaudio_capturer_source.cc
diff --git a/content/renderer/media/webaudio_capturer_source.cc b/content/renderer/media/webaudio_capturer_source.cc
index 3447cc9519965b83b9f5a2ec45634454273038e0..465e7bbdf570c5b224d1a6cc2c9443d152e1761f 100644
--- a/content/renderer/media/webaudio_capturer_source.cc
+++ b/content/renderer/media/webaudio_capturer_source.cc
@@ -19,12 +19,16 @@ static const int kMaxNumberOfBuffersInFifo = 5;
namespace content {
-WebAudioCapturerSource::WebAudioCapturerSource()
+WebAudioCapturerSource::WebAudioCapturerSource(
+ const blink::WebMediaStreamSource& blink_source)
: track_(NULL),
- audio_format_changed_(false) {
+ audio_format_changed_(false),
+ blink_source_(blink_source) {
}
WebAudioCapturerSource::~WebAudioCapturerSource() {
+ DCHECK(thread_checker_.CalledOnValidThread());
+ removeFromBlinkSource();
}
void WebAudioCapturerSource::setFormat(
@@ -68,6 +72,7 @@ void WebAudioCapturerSource::Stop() {
DCHECK(thread_checker_.CalledOnValidThread());
base::AutoLock auto_lock(lock_);
track_ = NULL;
+ removeFromBlinkSource();
}
void WebAudioCapturerSource::consumeAudio(
@@ -116,4 +121,16 @@ void WebAudioCapturerSource::consumeAudio(
}
}
+// If registered as audio consumer in |blink_source_|, deregister from
+// |blink_source_| and stop keeping a reference to |blink_source_|.
+// Failure to call this method when stopping the track might leave an invalid
+// WebAudioCapturerSource reference still registered as an audio consumer on
+// the blink side.
+void WebAudioCapturerSource::removeFromBlinkSource() {
+ if (!blink_source_.isNull()) {
+ blink_source_.removeAudioConsumer(this);
+ blink_source_.reset();
+ }
+}
+
} // namespace content
« no previous file with comments | « content/renderer/media/webaudio_capturer_source.h ('k') | content/renderer/media/webrtc/peer_connection_dependency_factory.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698