Issue 621141 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	█ alokp@chromium.org Last visit > 30 days ago
Closed:	Jun 2016
Cc:	sande...@chromium.org xhw...@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	2
Type:	Bug

Blocking:
issue 571155

Use after free in MojoDemuxerStreamImpl

Project Member Reported by alokp@chromium.org, Jun 17 2016

Issue description

Once media::Renderer is destroyed, it must not use the demuxer streams becuase the Demuxer can be destroyed any time after that.

The current ownership model of MojoRendererImpl and MojoDemuxerStreamImpl does not enforce this. Destroying MojoRendererImpl destroys the remote MojoRendererService, which in turn destroys the remote MojoDemuxerStreamImpl. Between the time MojoRendererImpl is destroyed and MojoDemuxerStreamImpl is destroyed, the local Demuxer gets destroyed and if there are any Read calls on MojoDemuxerStreamImpl, it will try to use the invalid DemuxerStream pointer.

Comment 1 by alokp@chromium.org, Jun 17 2016

If we let MojoRendererImpl own MojoDemuxerStreamImpl, the problem gets fixed. I will upload a patch shortly.

Project Member

Comment 2 by bugdroid1@chromium.org, Jun 19 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/61fdb768d7395fbb73daff12d9b38100df6a044f

commit 61fdb768d7395fbb73daff12d9b38100df6a044f
Author: alokp <alokp@chromium.org>
Date: Sun Jun 19 09:04:57 2016

Fixes use-after-free in MojoDemuxerStreamImpl.

BUG= 621141 

Review-Url: https://codereview.chromium.org/2075193002
Cr-Commit-Position: refs/heads/master@{#400615}

[modify] https://crrev.com/61fdb768d7395fbb73daff12d9b38100df6a044f/media/mojo/clients/mojo_demuxer_stream_impl.h
[modify] https://crrev.com/61fdb768d7395fbb73daff12d9b38100df6a044f/media/mojo/clients/mojo_renderer_impl.cc
[modify] https://crrev.com/61fdb768d7395fbb73daff12d9b38100df6a044f/media/mojo/clients/mojo_renderer_impl.h

Project Member

Comment 3 by bugdroid1@chromium.org, Jun 20 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4a4b616f6a4a642f590fe10e32bce7c841dc540b

commit 4a4b616f6a4a642f590fe10e32bce7c841dc540b
Author: alokp <alokp@chromium.org>
Date: Mon Jun 20 17:56:54 2016

Fixes memory leak in media_mojo_shell_unittests.

BUG= 621141 

Review-Url: https://codereview.chromium.org/2087473002
Cr-Commit-Position: refs/heads/master@{#400720}

[modify] https://crrev.com/4a4b616f6a4a642f590fe10e32bce7c841dc540b/media/mojo/services/media_mojo_unittest.cc

Comment 4 by alokp@chromium.org, Jun 20 2016

Status: Fixed (was: Assigned)

Project Member

Comment 5 by bugdroid1@chromium.org, Jun 21 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/57a3c25712bcf3135453838b575126b0e94be7d3

commit 57a3c25712bcf3135453838b575126b0e94be7d3
Author: alokp <alokp@chromium.org>
Date: Tue Jun 21 19:00:18 2016

Handles MOJO_HANDLE_SIGNAL_PEER_CLOSED in MojoDemuxerStreamAdapter.

BUG= 621141 

Review-Url: https://codereview.chromium.org/2088633002
Cr-Commit-Position: refs/heads/master@{#401062}

[modify] https://crrev.com/57a3c25712bcf3135453838b575126b0e94be7d3/media/mojo/services/mojo_demuxer_stream_adapter.cc

►

Issue 621141 link

Issue metadata

Use after free in MojoDemuxerStreamImpl

Issue description

Comment 1 by alokp@chromium.org, Jun 17 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Jun 19 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Jun 20 2016

Comment 3 Deleted

Comment 4 by alokp@chromium.org, Jun 20 2016

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Jun 21 2016

Comment 5 Deleted

Sign in to add a comment