github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

chore: cherry-pick 9ad8c9610d0a from chromium (#25240)

Browse Source
This commit is contained in:
Jeremy Rose
2020-09-02 12:02:49 -07:00
committed by GitHub
parent b032c415c1
commit 8a69889048
2 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
patches/chromium/.patches
View File

@@ -126,6 +126,7 @@ cherry-pick-9d100199c92b.patch
cherry-pick-bee371eeaf66.patch
cherry-pick-9746a4cde14a.patch
avoid_loading_dri_via_gbm_when_gpumemorybuffers_are_disabled.patch
cherry-pick-9ad8c9610d0a.patch
indexeddb_fix_crash_in_webidbgetdbnamescallbacksimpl.patch
indexeddb_reset_async_tasks_in_webidbgetdbnamescallbacksimpl.patch
reland_fix_uaf_in_selecttype.patch

42
patches/chromium/cherry-pick-9ad8c9610d0a.patch Normal file
View File

@@ -0,0 +1,42 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Guido Urdaneta <guidou@chromium.org>
Date: Tue, 4 Aug 2020 21:25:10 +0000
Subject: Use copy of source map in
MediaElementElementListener::UpdateSources()
Prior to this CL, this function iterated over a source map that could
be modified by a re-entrant call triggered by JS code.
(cherry picked from commit 292ac9aa5ba263f63f761e03b8214cae21e667c9)
Bug: 1105426
Change-Id: I47e49e4132cba98e12ee7c195720ac9ecc1f485b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2312703
Reviewed-by: Marina Ciocea <marinaciocea@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#790894}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2332823
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/branch-heads/4147@{#1026}
Cr-Branched-From: 16307825352720ae04d898f37efa5449ad68b606-refs/heads/master@{#768962}
diff --git a/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc b/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc
index 03ba68236c511ba2d2767af3c796b37a90dce476..80f36cb236adee50aefc505ff64f092cbc4e82b9 100644
--- a/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc
+++ b/third_party/blink/renderer/modules/mediacapturefromelement/html_media_element_capture.cc
@@ -242,9 +242,14 @@ void MediaElementEventListener::UpdateSources(ExecutionContext* context) {
for (auto track : media_stream_->getTracks())
sources_.insert(track->Component()->Source());
+ // Handling of the ended event in JS triggered by DidStopMediaStreamSource()
+ // may cause a reentrant call to this function, which can modify |sources_|.
+ // Iterate over a copy of |sources_| to avoid invalidation of the iterator
+ // when a reentrant call occurs.
+ auto sources_copy = sources_;
if (!media_element_->currentSrc().IsEmpty() &&
!media_element_->IsMediaDataCorsSameOrigin()) {
- for (auto source : sources_)
+ for (auto source : sources_copy)
DidStopMediaStreamSource(source.Get());
}
}