services/video_capture: Stop Device from DeviceFactory to avoid UaF
Device should call Stop() when VideoSource remote is discarded with active PushSubscription, this CL doing this by calling DeviceFactory for safety. Bug: 1383442, 1360658 Change-Id: If4817ee2a87c9e9c327b9921479bd7f38b7f50d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4025329 Reviewed-by: Henrik Boström <hbos@chromium.org> Commit-Queue: Zhaoliang Ma <zhaoliang.ma@intel.com> Cr-Commit-Position: refs/heads/main@{#1071375}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
57dcfdbacf
commit
02cdf46154
services/video_capture
@ -83,9 +83,9 @@ void VideoSourceImpl::CreatePushSubscription(
|
||||
void VideoSourceImpl::OnClientDisconnected() {
|
||||
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
|
||||
|
||||
// Stop |device_| when lose connection with VideoSourceImpl client.
|
||||
if (device_)
|
||||
device_->StopInProcess();
|
||||
// We need to stop devices when VideoSource remote discarded with active
|
||||
// subscription.
|
||||
device_factory_->StopDeviceInProcess(device_id_);
|
||||
|
||||
if (receivers_.empty()) {
|
||||
// Note: Invoking this callback may synchronously trigger the destruction of
|
||||
@ -121,8 +121,8 @@ void VideoSourceImpl::OnCreateDeviceResponse(
|
||||
scoped_trace->AddStep("StartDevice");
|
||||
|
||||
// Device was created successfully.
|
||||
device_ = info.device;
|
||||
device_->StartInProcess(device_start_settings_, broadcaster_.GetWeakPtr());
|
||||
info.device->StartInProcess(device_start_settings_,
|
||||
broadcaster_.GetWeakPtr());
|
||||
device_status_ = DeviceStatus::kStarted;
|
||||
if (push_subscriptions_.empty()) {
|
||||
StopDeviceAsynchronously();
|
||||
@ -130,7 +130,7 @@ void VideoSourceImpl::OnCreateDeviceResponse(
|
||||
}
|
||||
for (auto& entry : push_subscriptions_) {
|
||||
auto& subscription = entry.second;
|
||||
subscription->SetDevice(device_);
|
||||
subscription->SetDevice(info.device);
|
||||
subscription->OnDeviceStartSucceededWithSettings(device_start_settings_);
|
||||
}
|
||||
return;
|
||||
@ -191,7 +191,6 @@ void VideoSourceImpl::StopDeviceAsynchronously() {
|
||||
// Stop the device by closing the connection to it. Stopping is complete when
|
||||
// OnStopDeviceComplete() gets invoked.
|
||||
device_factory_->StopDeviceInProcess(device_id_);
|
||||
device_ = nullptr;
|
||||
device_status_ = DeviceStatus::kStoppingAsynchronously;
|
||||
}
|
||||
|
||||
|
@ -82,7 +82,6 @@ class VideoSourceImpl : public mojom::VideoSource {
|
||||
push_subscriptions_;
|
||||
BroadcastingReceiver broadcaster_;
|
||||
DeviceStatus device_status_;
|
||||
raw_ptr<Device> device_;
|
||||
media::VideoCaptureParams device_start_settings_;
|
||||
bool restart_device_once_when_stop_complete_;
|
||||
|
||||
|
Reference in New Issue
Block a user