0

services/video_capture: Stop Device from DeviceFactory to avoid UaF

Device should call Stop() when VideoSource remote is discarded with active PushSubscription, this CL doing this by calling DeviceFactory for safety.

Bug: 1383442, 1360658
Change-Id: If4817ee2a87c9e9c327b9921479bd7f38b7f50d4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4025329
Reviewed-by: Henrik Boström <hbos@chromium.org>
Commit-Queue: Zhaoliang Ma <zhaoliang.ma@intel.com>
Cr-Commit-Position: refs/heads/main@{#1071375}
This commit is contained in:
Zhaoliang Ma
2022-11-15 01:29:27 +00:00
committed by Chromium LUCI CQ
parent 57dcfdbacf
commit 02cdf46154
2 changed files with 6 additions and 8 deletions

@ -83,9 +83,9 @@ void VideoSourceImpl::CreatePushSubscription(
void VideoSourceImpl::OnClientDisconnected() {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
// Stop |device_| when lose connection with VideoSourceImpl client.
if (device_)
device_->StopInProcess();
// We need to stop devices when VideoSource remote discarded with active
// subscription.
device_factory_->StopDeviceInProcess(device_id_);
if (receivers_.empty()) {
// Note: Invoking this callback may synchronously trigger the destruction of
@ -121,8 +121,8 @@ void VideoSourceImpl::OnCreateDeviceResponse(
scoped_trace->AddStep("StartDevice");
// Device was created successfully.
device_ = info.device;
device_->StartInProcess(device_start_settings_, broadcaster_.GetWeakPtr());
info.device->StartInProcess(device_start_settings_,
broadcaster_.GetWeakPtr());
device_status_ = DeviceStatus::kStarted;
if (push_subscriptions_.empty()) {
StopDeviceAsynchronously();
@ -130,7 +130,7 @@ void VideoSourceImpl::OnCreateDeviceResponse(
}
for (auto& entry : push_subscriptions_) {
auto& subscription = entry.second;
subscription->SetDevice(device_);
subscription->SetDevice(info.device);
subscription->OnDeviceStartSucceededWithSettings(device_start_settings_);
}
return;
@ -191,7 +191,6 @@ void VideoSourceImpl::StopDeviceAsynchronously() {
// Stop the device by closing the connection to it. Stopping is complete when
// OnStopDeviceComplete() gets invoked.
device_factory_->StopDeviceInProcess(device_id_);
device_ = nullptr;
device_status_ = DeviceStatus::kStoppingAsynchronously;
}

@ -82,7 +82,6 @@ class VideoSourceImpl : public mojom::VideoSource {
push_subscriptions_;
BroadcastingReceiver broadcaster_;
DeviceStatus device_status_;
raw_ptr<Device> device_;
media::VideoCaptureParams device_start_settings_;
bool restart_device_once_when_stop_complete_;