Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(38)

Issue 1136803003: Fix heap-use-after-free issue with WebAudioCapturerSource. (Closed)

Created:
5 years, 7 months ago by magjed_chromium
Modified:
5 years, 7 months ago
Reviewers:
Guido Urdaneta
CC:
chromium-reviews, mlamouri+watch-content_chromium.org, posciak+watch_chromium.org, jam, mcasas+watch_chromium.org, feature-media-reviews_chromium.org, darin-cc_chromium.org, mkwst+moarreviews-renderer_chromium.org, wjia+watch_chromium.org
Base URL:
https://chromium.googlesource.com/a/chromium/src.git@2357
Target Ref:
refs/pending/branch-heads/2357
Project:
chromium
Visibility:
Public.

Description

Fix heap-use-after-free issue with WebAudioCapturerSource. WebAudioCapturerSource registers with a blink WebMediaStreamSource. When the audio track was stopped, the WebAudioCapturerSource was destroyed and the WebMediaStreamSource was left with a dangling pointer, which it tried to use, resulting in access to freed memory and usually a crashed tab. This CL makes WebAudioCapturerSource aware of the WebMediaStreamSource with which it is registered, so that it can be deregistered when the audio track is stopped. BUG=473253 TEST=See testcase.html in crbug.com/473253 Review URL: https://codereview.chromium.org/1071063005 Cr-Commit-Position: refs/heads/master@{#324622} (cherry picked from commit 228cd9447121ede4d32ab48c8dfe066736cfdae2) R=guidou@chromium.org TBR=henrika, perkj

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+31 lines, -4 lines) Patch
M content/renderer/media/webaudio_capturer_source.h View 4 chunks +11 lines, -1 line 0 comments Download
M content/renderer/media/webaudio_capturer_source.cc View 3 chunks +19 lines, -2 lines 0 comments Download
M content/renderer/media/webrtc/peer_connection_dependency_factory.cc View 1 chunk +1 line, -1 line 0 comments Download

Messages

Total messages: 4 (1 generated)
magjed_chromium
Please take a look.
5 years, 7 months ago (2015-05-12 15:27:24 UTC) #2
Guido Urdaneta
lgtm
5 years, 7 months ago (2015-05-12 15:29:06 UTC) #3
magjed_chromium
5 years, 7 months ago (2015-05-12 15:34:49 UTC) #4
Message was sent while issue was closed.
Committed patchset #1 (id:1) to pending queue manually as
1734831a8fa0a32d2ac1a676c2f6d739b75227b0 (presubmit successful).

Powered by Google App Engine
This is Rietveld 408576698