zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Heap-use-after-free.

Browse Source 
This change fixes a problem where VideoRtpReceiver::OnGenerateKeyFrame would
use it's stored media_channel_ pointer after the channel was deleted. This was
due to the higher layer RtpTransceiver not clearing the reference with SetMediaChannel(nullptr) when removing the receiver, and the VideoRtpReceiver's embedded VideoRtpTrackSource subsequently requesting a key frame.

Bug: chromium:1037703
Change-Id: Iee8338458063866589b70b4070793fbe600d41ff
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/164538
Reviewed-by: Florent Castelli <orphis@webrtc.org>
Reviewed-by: Steve Anton <steveanton@webrtc.org>
Commit-Queue: Markus Handell <handellm@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30175}
This commit is contained in:
Markus Handell
2020-01-07 19:46:15 +01:00
committed by Commit Bot
parent 2e6ca11bd1
commit 43e62fcc76
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pc/rtp_transceiver.cc
View File

@ -127,6 +127,11 @@ bool RtpTransceiver::RemoveReceiver(RtpReceiverInterface* receiver) {
return false;
}
(*it)->internal()->Stop();
// After the receiver has been removed, there's no guarantee that the
// contained media channel isn't deleted shortly after this. To make sure that
// the receiver doesn't spontaneously try to use it's (potentially stale)
// media channel reference, we clear it out.
(*it)->internal()->SetMediaChannel(nullptr);
receivers_.erase(it);
return true;
}