Skip to content

Commit 40d1f42

Browse files
Zaggy1024Zaggy1024
committed
LibMedia: Keep data providers' ThreadDatas alive in deferred_invoke
We need strong references to the thread data in order to prevent a UAF when, for example, a seek starts as GC is destroying a media element.
1 parent eaf1564 commit 40d1f42

File tree

2 files changed

+21
-21
lines changed

2 files changed

+21
-21
lines changed

Libraries/LibMedia/Providers/AudioDataProvider.cpp

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -124,22 +124,22 @@ template<typename T>
124124
void AudioDataProvider::ThreadData::process_seek_on_main_thread(u32 seek_id, T&& function)
125125
{
126126
m_last_processed_seek_id = seek_id;
127-
m_main_thread_event_loop.deferred_invoke([this, seek_id, function] mutable {
128-
if (m_seek_id != seek_id)
127+
m_main_thread_event_loop.deferred_invoke([self = NonnullRefPtr(*this), seek_id, function] mutable {
128+
if (self->m_seek_id != seek_id)
129129
return;
130130
function();
131131
});
132132
}
133133

134134
void AudioDataProvider::ThreadData::resolve_seek(u32 seek_id)
135135
{
136-
process_seek_on_main_thread(seek_id, [this] {
136+
process_seek_on_main_thread(seek_id, [self = NonnullRefPtr(*this)] {
137137
{
138-
auto locker = take_lock();
139-
m_is_in_error_state = false;
140-
m_wait_condition.broadcast();
138+
auto locker = self->take_lock();
139+
self->m_is_in_error_state = false;
140+
self->m_wait_condition.broadcast();
141141
}
142-
auto handler = move(m_seek_completion_handler);
142+
auto handler = move(self->m_seek_completion_handler);
143143
if (handler)
144144
handler();
145145
});
@@ -158,9 +158,9 @@ bool AudioDataProvider::ThreadData::handle_seek()
158158
}
159159

160160
process_seek_on_main_thread(seek_id,
161-
[this, error = move(error)] mutable {
162-
m_error_handler(move(error));
163-
m_seek_completion_handler = nullptr;
161+
[self = NonnullRefPtr(*this), error = move(error)] mutable {
162+
self->m_error_handler(move(error));
163+
self->m_seek_completion_handler = nullptr;
164164
});
165165
};
166166

@@ -251,8 +251,8 @@ void AudioDataProvider::ThreadData::push_data_and_decode_a_block()
251251
m_is_in_error_state = true;
252252
while (!m_error_handler)
253253
m_wait_condition.wait();
254-
m_main_thread_event_loop.deferred_invoke([this, error = move(error)] mutable {
255-
m_error_handler(move(error));
254+
m_main_thread_event_loop.deferred_invoke([self = NonnullRefPtr(*this), error = move(error)] mutable {
255+
self->m_error_handler(move(error));
256256
});
257257
}
258258

Libraries/LibMedia/Providers/VideoDataProvider.cpp

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -158,8 +158,8 @@ template<typename T>
158158
void VideoDataProvider::ThreadData::process_seek_on_main_thread(u32 seek_id, T&& function)
159159
{
160160
m_last_processed_seek_id = seek_id;
161-
m_main_thread_event_loop.deferred_invoke([this, seek_id, function] mutable {
162-
if (m_seek_id != seek_id)
161+
m_main_thread_event_loop.deferred_invoke([self = NonnullRefPtr(*this), seek_id, function] mutable {
162+
if (self->m_seek_id != seek_id)
163163
return;
164164
function();
165165
});
@@ -168,8 +168,8 @@ void VideoDataProvider::ThreadData::process_seek_on_main_thread(u32 seek_id, T&&
168168
void VideoDataProvider::ThreadData::resolve_seek(u32 seek_id, AK::Duration const& timestamp)
169169
{
170170
m_is_in_error_state = false;
171-
process_seek_on_main_thread(seek_id, [this, timestamp] {
172-
auto handler = move(m_seek_completion_handler);
171+
process_seek_on_main_thread(seek_id, [self = NonnullRefPtr(*this), timestamp] {
172+
auto handler = move(self->m_seek_completion_handler);
173173
if (handler)
174174
handler(timestamp);
175175
});
@@ -198,9 +198,9 @@ bool VideoDataProvider::ThreadData::handle_seek()
198198
m_queue.clear();
199199
}
200200
process_seek_on_main_thread(seek_id,
201-
[this, error = move(error)] mutable {
202-
m_error_handler(move(error));
203-
m_seek_completion_handler = nullptr;
201+
[self = NonnullRefPtr(*this), error = move(error)] mutable {
202+
self->m_error_handler(move(error));
203+
self->m_seek_completion_handler = nullptr;
204204
});
205205
};
206206

@@ -346,8 +346,8 @@ void VideoDataProvider::ThreadData::push_data_and_decode_some_frames()
346346
m_is_in_error_state = true;
347347
while (!m_error_handler)
348348
m_wait_condition.wait();
349-
m_main_thread_event_loop.deferred_invoke([this, error = move(error)] mutable {
350-
m_error_handler(move(error));
349+
m_main_thread_event_loop.deferred_invoke([self = NonnullRefPtr(*this), error = move(error)] mutable {
350+
self->m_error_handler(move(error));
351351
});
352352
}
353353

0 commit comments

Comments
 (0)