Post media log destruction to avoid destruction

SendQueuedMediaEvents is able to tickle oilpan just enough to cause the owning BatchingMediaLog to be destroyed in the middle of executing, causing a UAF. (cherry picked from commit 57e905d) Bug: 1317714 Change-Id: Iac2f32aee70eee183be279b372beb2ff39e6c5a0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3682060 Reviewed-by: Frank Liberato <liberato@chromium.org> Auto-Submit: Ted (Chromium) Meyer <tmathmeyer@chromium.org> Reviewed-by: Thomas Guilbert <tguilbert@chromium.org> Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1009670} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3691383 Reviewed-by: Dan Sanders <sandersd@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/5060@{#615} Cr-Branched-From: b83393d-refs/heads/main@{#1002911}
chromium · Jun 6, 2022 · 8dfc224 · 8dfc224
1 parent bf33032
commit 8dfc224
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/third_party/blink/renderer/modules/webcodecs/codec_logger.h b/third_party/blink/renderer/modules/webcodecs/codec_logger.h
@@ -9,10 +9,10 @@
 #include <string>
 
 #include "base/check.h"
+#include "base/location.h"
 #include "base/memory/scoped_refptr.h"
 #include "base/sequence_checker.h"
 #include "media/base/media_log.h"
-#include "base/location.h"
 #include "media/base/media_util.h"
 #include "third_party/blink/public/platform/platform.h"
 #include "third_party/blink/renderer/core/dom/dom_exception.h"
@@ -72,9 +72,17 @@ class MODULES_EXPORT CodecLogger final {
     // This allows us to destroy |parent_media_log_| and stop logging,
     // without causing problems to |media_log_| users.
     media_log_ = parent_media_log_->Clone();
+
+    task_runner_ = task_runner;
   }
 
-  ~CodecLogger() { DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); }
+  ~CodecLogger() {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    // media logs must be posted for destruction, since they can cause the
+    // garbage collector to trigger an immediate cleanup and delete the owning
+    // instance of |CodecLogger|.
+    task_runner_->DeleteSoon(FROM_HERE, std::move(parent_media_log_));
+  }
 
   void SendPlayerNameInformation(const ExecutionContext& context,
                                  std::string loadedAs) {
@@ -135,6 +143,9 @@ class MODULES_EXPORT CodecLogger final {
   // can be safely accessed, and whose raw pointer can be given callbacks.
   std::unique_ptr<media::MediaLog> media_log_;
 
+  // Keep task runner around for posting the media log to upon destruction.
+  scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
+
   SEQUENCE_CHECKER(sequence_checker_);
 };