From 82f359e45d805221e1aa90cce320c7640723c26c Mon Sep 17 00:00:00 2001 From: Byoungchan Lee Date: Thu, 28 Jul 2022 10:15:46 +0900 Subject: [PATCH] Fix UAF in VideoSendStreamTest.MinTransmitBitrateRespectsRemb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From when callTest's send_transport_ is deleted and until the test is completely ended, there is a possibility that the background task webrtc::ModuleRtpRtcpImpl2::MaybeSendRtcpAtOrAfterTimestamp will call send_transport_ which has already been deleted. Fix this by deleting rtp_rtcp_ before send_transport_ is deleted. Bug: webrtc:14202 Change-Id: Ief96c4712875beb55ef232a8bce990d1e9e9efe1 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/266300 Reviewed-by: Erik Språng Commit-Queue: Daniel.L (Byoungchan) Lee Cr-Commit-Position: refs/heads/main@{#37633} --- video/video_send_stream_tests.cc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/video/video_send_stream_tests.cc b/video/video_send_stream_tests.cc index 23b26cdd47..cadd70f3cc 100644 --- a/video/video_send_stream_tests.cc +++ b/video/video_send_stream_tests.cc @@ -1487,11 +1487,6 @@ TEST_F(VideoSendStreamTest, MinTransmitBitrateRespectsRemb) { bitrate_capped_(false), task_safety_flag_(PendingTaskSafetyFlag::CreateDetached()) {} - ~BitrateObserver() override { - // Make sure we free `rtp_rtcp_` in the same context as we constructed it. - SendTask(RTC_FROM_HERE, task_queue_, [this]() { rtp_rtcp_ = nullptr; }); - } - private: Action OnSendRtp(const uint8_t* packet, size_t length) override { if (IsRtcpPacket(rtc::MakeArrayView(packet, length))) @@ -1547,7 +1542,10 @@ TEST_F(VideoSendStreamTest, MinTransmitBitrateRespectsRemb) { encoder_config->min_transmit_bitrate_bps = kMinTransmitBitrateBps; } - void OnStreamsStopped() override { task_safety_flag_->SetNotAlive(); } + void OnStreamsStopped() override { + task_safety_flag_->SetNotAlive(); + rtp_rtcp_.reset(); + } void PerformTest() override { EXPECT_TRUE(Wait())