[M118] FrameCadenceAdapter: stop delayed refresh frame calls on dtor.

The FrameCadenceAdapter starts a delayed task to request a new refresh frame on receiving frame drop. However, the resulting RepeatingTaskHandle was not Stop()ed on destruction, leading to UAF. (cherry picked from commit fb98b01) Fixed: chromium:1478944 Change-Id: Iba441420953e989cfc7fcfd2f358b5b30f375786 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/320200 Reviewed-by: Ilya Nikolaevskiy <ilnik@webrtc.org> Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org> Cr-Original-Commit-Position: refs/heads/main@{#40747} Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/320420 Reviewed-by: Henrik Andreassson <henrika@webrtc.org> Cr-Commit-Position: refs/branch-heads/5993@{#1} Cr-Branched-From: 5afcec0-refs/heads/main@{#40703}
signalapp · Sep 18, 2023 · 7349579 · 7349579
1 parent 5afcec0
commit 7349579
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/video/frame_cadence_adapter.cc b/video/frame_cadence_adapter.cc
@@ -102,6 +102,7 @@ class ZeroHertzAdapterMode : public AdapterMode {
                        Clock* clock,
                        FrameCadenceAdapterInterface::Callback* callback,
                        double max_fps);
+  ~ZeroHertzAdapterMode() { refresh_frame_requester_.Stop(); }
 
   // Reconfigures according to parameters.
   // All spatial layer trackers are initialized as unconverged by this method.

diff --git a/video/frame_cadence_adapter_unittest.cc b/video/frame_cadence_adapter_unittest.cc
@@ -563,6 +563,29 @@ TEST(FrameCadenceAdapterTest, AcceptsUnconfiguredLayerFeedback) {
   adapter->UpdateLayerStatus(2, false);
 }
 
+TEST(FrameCadenceAdapterTest, IgnoresDropInducedCallbacksPostDestruction) {
+  ZeroHertzFieldTrialEnabler enabler;
+  auto callback = std::make_unique<MockCallback>();
+  GlobalSimulatedTimeController time_controller(Timestamp::Zero());
+  auto queue = time_controller.GetTaskQueueFactory()->CreateTaskQueue(
+      "queue", TaskQueueFactory::Priority::NORMAL);
+  auto adapter = FrameCadenceAdapterInterface::Create(
+      time_controller.GetClock(), queue.get(), enabler);
+  queue->PostTask([&adapter, &callback] {
+    adapter->Initialize(callback.get());
+    adapter->SetZeroHertzModeEnabled(
+        FrameCadenceAdapterInterface::ZeroHertzModeParams{});
+  });
+  time_controller.AdvanceTime(TimeDelta::Zero());
+  constexpr int kMaxFps = 10;
+  adapter->OnConstraintsChanged(VideoTrackSourceConstraints{0, kMaxFps});
+  adapter->OnDiscardedFrame();
+  time_controller.AdvanceTime(TimeDelta::Zero());
+  callback = nullptr;
+  queue->PostTask([adapter = std::move(adapter)]() mutable {});
+  time_controller.AdvanceTime(3 * TimeDelta::Seconds(1) / kMaxFps);
+}
+
 class FrameCadenceAdapterSimulcastLayersParamTest
     : public ::testing::TestWithParam<int> {
  public: