angler-fishThe Vulnerability History Project

Fix heap-use-after-free issue with WebAudioCapturerSource.

      WebAudioCapturerSource registers with a blink WebMediaStreamSource.
When the audio track was stopped, the WebAudioCapturerSource was
destroyed and the WebMediaStreamSource was left with a dangling
pointer, which it tried to use, resulting in access to freed
memory and usually a crashed tab.

This CL makes WebAudioCapturerSource aware of the WebMediaStreamSource
with which it is registered, so that it can be deregistered when the
audio track is stopped.

BUG=473253
TEST=See testcase.html in crbug.com/473253

Review URL: https://codereview.chromium.org/1071063005

Cr-Commit-Position: refs/heads/master@{#324622}
by Isabelle the Fish 2015-04-10 13:00:37 UTC
commit 228cd9447121ede4d32ab48c8dfe066736cfdae2
Chromium Fix CVE-2015-1255
content/renderer/media/webaudio_capturer_source.cc
+2 -19
content/renderer/media/webaudio_capturer_source.h
+1 -11
content/renderer/media/webrtc/peer_connection_dependency_factory.cc
+1 -1
expand_less