media/filters/skcanvas_video_renderer.cc - Issue 624633002: Fix potential use-after-free bug in VideoImageGenerator::onGetYUV8Planes.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: media/filters/skcanvas_video_renderer.cc

Issue 624633002: Fix potential use-after-free bug in VideoImageGenerator::onGetYUV8Planes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: give up removing |generator_| Created 6 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: media/filters/skcanvas_video_renderer.cc

diff --git a/media/filters/skcanvas_video_renderer.cc b/media/filters/skcanvas_video_renderer.cc

index 6c73a17216114029fe6b2aa793bed4f375f1cf4f..9dcf67a7ada815ea478a3ef9c00777c3ad04b918 100644

--- a/media/filters/skcanvas_video_renderer.cc

+++ b/media/filters/skcanvas_video_renderer.cc

@@ -208,7 +208,9 @@ static void ConvertVideoFrameToRGBPixels(

// Generates an RGB image from a VideoFrame.

class VideoImageGenerator : public SkImageGenerator {

public:

- VideoImageGenerator(const scoped_refptr<VideoFrame>& frame) : frame_(frame) {}

+ VideoImageGenerator(const scoped_refptr<VideoFrame>& frame) : frame_(frame) {

+ DCHECK(frame_.get());

+ }

virtual ~VideoImageGenerator() {}

void set_frame(const scoped_refptr<VideoFrame>& frame) { frame_ = frame; }

@@ -230,10 +232,9 @@ class VideoImageGenerator : public SkImageGenerator {

if (!frame_.get())

return false;

if (!pixels)

- return true;

+ return false;

// If skia couldn't do the YUV conversion, we will.

ConvertVideoFrameToRGBPixels(frame_, pixels, row_bytes);

- frame_ = NULL;

return true;

}

@@ -278,13 +279,13 @@ class VideoImageGenerator : public SkImageGenerator {

planes[plane] = frame_->data(plane) + offset;

}

- if (planes && row_bytes)

- frame_ = NULL;

return true;

}

private:

scoped_refptr<VideoFrame> frame_;

+ DISALLOW_IMPLICIT_CONSTRUCTORS(VideoImageGenerator);

};

SkCanvasVideoRenderer::SkCanvasVideoRenderer()

@@ -379,6 +380,10 @@ void SkCanvasVideoRenderer::Paint(const scoped_refptr<VideoFrame>& video_frame,

if (need_transform)

canvas->restore();

canvas->flush();

+ // SkCanvas::flush() causes the generator to generate SkImage, so delete

+ // |video_frame| not to be outlived.

+ if (generator_)

+ generator_->set_frame(NULL);

}

void SkCanvasVideoRenderer::Copy(const scoped_refptr<VideoFrame>& video_frame,

« no previous file with comments | « no previous file | no next file » | no next file with comments »