[Backport] CVE-2021-30522: Use after free in WebAudio

Raymond Toy · mibrunin · commit 5db4492a5ee4 · 2021-07-21T14:07:51.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2874771: Add AudioHandler to orphan handlers when context is suspended. If the context is suspended, pulling of the audio graph is stopped. But we still need to add the handler in this case so that when the context is resumed, the handler is still alive until it can be safely removed. Hence, we must still add the handler if the context is suspended. Test cases from issue 1176218 manually tested with no failures. Also this doesn't cause any regressions in issue 1003807 and issue 1017961. (Manually tested the test cases from those issues.) Bug: 1176218 Change-Id: Icd927c488505dfee9ff716866f98286e286d546a Reviewed-by: Hongchan Choi <hongchan@chromium.org> Commit-Queue: Raymond Toy <rtoy@chromium.org> Cr-Commit-Position: refs/heads/master@{#881533} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_node.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_node.cc
@@ -609,13 +609,13 @@ void AudioNode::Dispose() {
   BaseAudioContext::GraphAutoLocker locker(context());
   Handler().Dispose();
 
-  // Add the handler to the orphan list if the context is pulling on the audio
-  // graph.  This keeps the handler alive until it can be deleted at a safe
-  // point (in pre/post handler task).  If graph isn't being pulled, we can
-  // delete the handler now since nothing on the audio thread will be touching
-  // it.
+  // Add the handler to the orphan list.  This keeps the handler alive until it
+  // can be deleted at a safe point (in pre/post handler task).  If the graph is
+  // being processed, the handler must be added.  If the context is suspended,
+  // the handler still needs to be added in case the context is resumed.
   DCHECK(context());
-  if (context()->IsPullingAudioGraph()) {
+  if (context()->IsPullingAudioGraph() ||
+      context()->ContextState() == BaseAudioContext::kSuspended) {
     context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
         std::move(handler_));
   }
