mirror
/
electron
mirror of https://github.com/electron/electron
1
0
Fork 0
Code Issues Releases Activity
electron/patches/chromium/cherry-pick-38e4483e47f9.patch

89 lines
3.9 KiB
Diff
Raw Permalink Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Johannes Kron <kron@chromium.org>
Date: Wed, 19 Jun 2024 20:59:48 +0000
Subject: Use BindPostTask() + weak pointer in callback handler
The callback handler incorrectly accessed member objects directly which may
cause UAF. Avoid this by using BindPostTask() together with a weak pointer.
Fixed: 346898524
Change-Id: I9d03d6decfd0212af88d3d0d8d70f83f1081d2e3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5639016
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Mark Foltz <mfoltz@chromium.org>
Commit-Queue: Johannes Kron <kron@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1317142}
diff --git a/content/browser/media/capture/screen_capture_kit_device_mac.mm b/content/browser/media/capture/screen_capture_kit_device_mac.mm
index 4fb3e8eb5f34a7ee9e8b0f22a7c842129cdc31eb..e2710fba1a8d7a4cee6023558898c74706a9c189 100644
--- a/content/browser/media/capture/screen_capture_kit_device_mac.mm
+++ b/content/browser/media/capture/screen_capture_kit_device_mac.mm
@@ -326,13 +326,18 @@ void OnStreamSample(gfx::ScopedInUseIOSurface io_surface,
destRectInFrame:dest_rect_in_frame
frameRate:requested_capture_format_->
frame_rate];
+
+ __block base::OnceCallback<void()> on_update_configuration_error =
+ base::BindPostTask(
+ device_task_runner_,
+ base::BindOnce(
+ &ScreenCaptureKitDeviceMac::OnUpdateConfigurationError,
+ weak_factory_.GetWeakPtr()));
[stream_
updateConfiguration:config
completionHandler:^(NSError* _Nullable error) {
if (error) {
- client()->OnError(
- media::VideoCaptureError::kScreenCaptureKitStreamError,
- FROM_HERE, "Error on updateConfiguration");
+ std::move(on_update_configuration_error).Run();
}
}];
}
@@ -361,6 +366,21 @@ void OnStreamError() {
FROM_HERE, "Stream delegate called didStopWithError");
}
}
+ void OnUpdateContentFilterCompleted(NSError* _Nullable error) {
+ DCHECK(device_task_runner_->RunsTasksInCurrentSequence());
+ is_resetting_ = false;
+
+ if (error) {
+ client()->OnError(media::VideoCaptureError::kScreenCaptureKitStreamError,
+ FROM_HERE,
+ "Error on updateContentFilter (fullscreen window).");
+ }
+ }
+ void OnUpdateConfigurationError() {
+ DCHECK(device_task_runner_->RunsTasksInCurrentSequence());
+ client()->OnError(media::VideoCaptureError::kScreenCaptureKitStreamError,
+ FROM_HERE, "Error on updateConfiguration");
+ }
// IOSurfaceCaptureDeviceBase:
void OnStart() override {
@@ -411,15 +431,16 @@ void ResetStreamTo(SCWindow* window) override {
SCContentFilter* filter =
[[SCContentFilter alloc] initWithDesktopIndependentWindow:window];
+ __block base::OnceCallback<void(NSError*)>
+ on_update_content_filter_completed = base::BindPostTask(
+ device_task_runner_,
+ base::BindOnce(
+ &ScreenCaptureKitDeviceMac::OnUpdateContentFilterCompleted,
+ weak_factory_.GetWeakPtr()));
+
[stream_ updateContentFilter:filter
completionHandler:^(NSError* _Nullable error) {
- is_resetting_ = false;
- if (error) {
- client()->OnError(
- media::VideoCaptureError::kScreenCaptureKitStreamError,
- FROM_HERE,
- "Error on updateContentFilter (fullscreen window).");
- }
+ std::move(on_update_content_filter_completed).Run(error);
}];
}
View Git Blame Copy Permalink