From ddd50ef9210ecc735f4201ab24d4e2ba4e5c24b0 Mon Sep 17 00:00:00 2001 From: Ilya Nikolaevskiy Date: Thu, 29 Aug 2019 17:28:26 +0200 Subject: [PATCH] Use HasOneRef to ensure safe reallocation of buffer in EncodedImage If somehow buffer is shared between other locations, reallocating it may lead to use-after-free error. Bug: none Change-Id: I01a0b722cfe6ee0e18546248f1dfb7b8ac3b7217 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/150884 Reviewed-by: Niels Moller Commit-Queue: Ilya Nikolaevskiy Cr-Commit-Position: refs/heads/master@{#29021} --- api/video/encoded_image.cc | 2 +- api/video/encoded_image.h | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/api/video/encoded_image.cc b/api/video/encoded_image.cc index d2cc751317..55970fcd00 100644 --- a/api/video/encoded_image.cc +++ b/api/video/encoded_image.cc @@ -77,7 +77,7 @@ void EncodedImage::Retain() { } void EncodedImage::Allocate(size_t capacity) { - if (encoded_data_) { + if (encoded_data_ && encoded_data_->HasOneRef()) { encoded_data_->Realloc(capacity); } else { encoded_data_ = EncodedImageBuffer::Create(capacity); diff --git a/api/video/encoded_image.h b/api/video/encoded_image.h index 9aa5046a3e..a980ef7ee1 100644 --- a/api/video/encoded_image.h +++ b/api/video/encoded_image.h @@ -47,6 +47,9 @@ class EncodedImageBufferInterface : public rtc::RefCountInterface { // EncodedImage::Allocate. Implemented properly only by the below concrete // class virtual void Realloc(size_t size) { RTC_NOTREACHED(); } + // Will be implemented by RefCountedObject, which also implements + // |rtc::RefCountInterface|. + virtual bool HasOneRef() const = 0; }; // Basic implementation of EncodedImageBufferInterface.