[470][Backport] CVE-2025-8292: Use after free in Media Stream

evliu-google · Michal Klocek · commit bb0c912fcb93 · 2025-09-22T11:13:41.000+02:00
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/6712212: Fix potential UAF in MediaStreamTrackImpl This CL fixes a potential UAF vulnerability in MediaStreamTrackImpl where pointers to the SpeechRecognitionMediaStreamAudioSinks that are owned by the MediaStreamTrackImpl could potentially be accessed after the sinks are destroyed. Fixed: 426054987 Change-Id: I453160a8eed7926e2cc3500260de04d2722c98e1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6712212 Commit-Queue: Evan Liu <evliu@google.com> Reviewed-by: Mark Foltz <mfoltz@chromium.org> Cr-Commit-Position: refs/heads/main@{#1486476} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/665071 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/third_party/blink/renderer/modules/mediastream/media_stream_track_impl.cc b/chromium/third_party/blink/renderer/modules/mediastream/media_stream_track_impl.cc
@@ -752,6 +752,19 @@ CaptureHandle* MediaStreamTrackImpl::getCaptureHandle() const {
   return capture_handle;
 }
 
+void MediaStreamTrackImpl::Dispose() {
+  // `MediaStreamTrackImpl` and the `SpeechRecognitionMediaStreamAudioSink`
+  // which it owns may be destroyed before the `MediaStreamAudioTrack`. Remove
+  // the sinks before destroying them to prevent `MediaStreamAudioTrack` from
+  // using them after destruction.
+  if (MediaStreamAudioTrack* audio_track =
+          MediaStreamAudioTrack::From(Component())) {
+    for (SpeechRecognitionMediaStreamAudioSink* sink : registered_sinks_) {
+      audio_track->RemoveSink(sink);
+    }
+  }
+}
+
 ScriptPromise<IDLUndefined> MediaStreamTrackImpl::applyConstraints(
     ScriptState* script_state,
     const MediaTrackConstraints* constraints) {
diff --git a/chromium/third_party/blink/renderer/modules/mediastream/media_stream_track_impl.h b/chromium/third_party/blink/renderer/modules/mediastream/media_stream_track_impl.h
@@ -57,6 +57,8 @@ class ScriptState;
 // Primary implementation of the MediaStreamTrack interface and idl type.
 class MODULES_EXPORT MediaStreamTrackImpl : public MediaStreamTrack,
                                             public MediaStreamSource::Observer {
+  USING_PRE_FINALIZER(MediaStreamTrackImpl, Dispose);
+
  public:
   // Create a MediaStreamTrackImpl of the appropriate type for the display
   // surface type.
@@ -166,6 +168,8 @@ class MODULES_EXPORT MediaStreamTrackImpl : public MediaStreamTrack,
   friend class CanvasCaptureMediaStreamTrack;
   friend class InternalsMediaStream;
 
+  void Dispose();
+
   // MediaStreamTrack
   void applyConstraints(ScriptPromiseResolver<IDLUndefined>*,
                         const MediaTrackConstraints*) override;
