From 43e62fcc766bc81fdf9004519597d2fa86015a00 Mon Sep 17 00:00:00 2001
From: Markus Handell <handellm@webrtc.org>
Date: Tue, 7 Jan 2020 19:46:15 +0100
Subject: [PATCH] Fix Heap-use-after-free.

This change fixes a problem where VideoRtpReceiver::OnGenerateKeyFrame would
use it's stored media_channel_ pointer after the channel was deleted. This was
due to the higher layer RtpTransceiver not clearing the reference with SetMediaChannel(nullptr) when removing the receiver, and the VideoRtpReceiver's embedded VideoRtpTrackSource subsequently requesting a key frame.

Bug: chromium:1037703
Change-Id: Iee8338458063866589b70b4070793fbe600d41ff
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/164538
Reviewed-by: Florent Castelli <orphis@webrtc.org>
Reviewed-by: Steve Anton <steveanton@webrtc.org>
Commit-Queue: Markus Handell <handellm@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30175}
---
 pc/rtp_transceiver.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pc/rtp_transceiver.cc b/pc/rtp_transceiver.cc
index d8d168191e..d3281d5e6e 100644
--- a/pc/rtp_transceiver.cc
+++ b/pc/rtp_transceiver.cc
@@ -127,6 +127,11 @@ bool RtpTransceiver::RemoveReceiver(RtpReceiverInterface* receiver) {
     return false;
   }
   (*it)->internal()->Stop();
+  // After the receiver has been removed, there's no guarantee that the
+  // contained media channel isn't deleted shortly after this. To make sure that
+  // the receiver doesn't spontaneously try to use it's (potentially stale)
+  // media channel reference, we clear it out.
+  (*it)->internal()->SetMediaChannel(nullptr);
   receivers_.erase(it);
   return true;
 }