[Backport] CVE-2021-30530: Out of bounds memory access in WebAudio

hoch · Allan Sandfeld Jensen · commit 260e76054ffd · 2021-06-22T09:16:26.000Z
Cherr-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2875846: Return false when the size of audio_port_1 and audio_port_2 is different The current code assumes the size of audio ports is identical because the number of inputs and outputs cannot change after construction. This assumption is broken when multiple AudioWorkletNodes share a singleton AudioWorkletProcessor instance. This patch removes the assumption and explicitly returns false when the number of inputs and outputs does not match. Bug: 1201033, 120260 Test: 3 repro cases submitted do not crash on ASAN. Change-Id: I4065e7970b9b7b54468fc82558509a3238ff28e4 Commit-Queue: Hongchan Choi <hongchan@chromium.org> Reviewed-by: Raymond Toy <rtoy@chromium.org> Cr-Commit-Position: refs/heads/master@{#879631} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
@@ -180,11 +180,14 @@ bool AudioWorkletProcessor::PortTopologyMatches(
   if (audio_port_2.IsEmpty())
     return false;
 
-  // Two AudioPorts are supposed to have the same length because the number of
-  // inputs and outputs of AudioNode cannot change after construction.
   v8::Local<v8::Array> port_2_local = audio_port_2.NewLocal(isolate);
   DCHECK(port_2_local->IsArray());
-  DCHECK_EQ(audio_port_1.size(), port_2_local->Length());
+
+  // Two audio ports may have a different number of inputs or outputs. See
+  // crbug.com/1202060
+  if (audio_port_1.size() != port_2_local->Length()) {
+    return false;
+  }
 
   v8::TryCatch try_catch(isolate);
 
