From fb98b01061e7eec51a800b53d4346827f89336a5 Mon Sep 17 00:00:00 2001
From: Markus Handell <handellm@webrtc.org>
Date: Thu, 14 Sep 2023 01:31:11 +0300
Subject: [PATCH] FrameCadenceAdapter: stop delayed refresh frame calls on
 dtor.

The FrameCadenceAdapter starts a delayed task to request a
new refresh frame on receiving frame drop. However, the
resulting RepeatingTaskHandle was not Stop()ed on destruction,
leading to UAF.

Fixed: chromium:1478944
Change-Id: Iba441420953e989cfc7fcfd2f358b5b30f375786
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/320200
Reviewed-by: Ilya Nikolaevskiy <ilnik@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#40747}
---
 video/frame_cadence_adapter.cc          |  1 +
 video/frame_cadence_adapter_unittest.cc | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/video/frame_cadence_adapter.cc b/video/frame_cadence_adapter.cc
index a8d581b568..ef76038ef0 100644
--- a/video/frame_cadence_adapter.cc
+++ b/video/frame_cadence_adapter.cc
@@ -102,6 +102,7 @@ class ZeroHertzAdapterMode : public AdapterMode {
                        Clock* clock,
                        FrameCadenceAdapterInterface::Callback* callback,
                        double max_fps);
+  ~ZeroHertzAdapterMode() { refresh_frame_requester_.Stop(); }
 
   // Reconfigures according to parameters.
   // All spatial layer trackers are initialized as unconverged by this method.
diff --git a/video/frame_cadence_adapter_unittest.cc b/video/frame_cadence_adapter_unittest.cc
index 1fd2091c34..052b0a6c61 100644
--- a/video/frame_cadence_adapter_unittest.cc
+++ b/video/frame_cadence_adapter_unittest.cc
@@ -563,6 +563,29 @@ TEST(FrameCadenceAdapterTest, AcceptsUnconfiguredLayerFeedback) {
   adapter->UpdateLayerStatus(2, false);
 }
 
+TEST(FrameCadenceAdapterTest, IgnoresDropInducedCallbacksPostDestruction) {
+  ZeroHertzFieldTrialEnabler enabler;
+  auto callback = std::make_unique<MockCallback>();
+  GlobalSimulatedTimeController time_controller(Timestamp::Zero());
+  auto queue = time_controller.GetTaskQueueFactory()->CreateTaskQueue(
+      "queue", TaskQueueFactory::Priority::NORMAL);
+  auto adapter = FrameCadenceAdapterInterface::Create(
+      time_controller.GetClock(), queue.get(), enabler);
+  queue->PostTask([&adapter, &callback] {
+    adapter->Initialize(callback.get());
+    adapter->SetZeroHertzModeEnabled(
+        FrameCadenceAdapterInterface::ZeroHertzModeParams{});
+  });
+  time_controller.AdvanceTime(TimeDelta::Zero());
+  constexpr int kMaxFps = 10;
+  adapter->OnConstraintsChanged(VideoTrackSourceConstraints{0, kMaxFps});
+  adapter->OnDiscardedFrame();
+  time_controller.AdvanceTime(TimeDelta::Zero());
+  callback = nullptr;
+  queue->PostTask([adapter = std::move(adapter)]() mutable {});
+  time_controller.AdvanceTime(3 * TimeDelta::Seconds(1) / kMaxFps);
+}
+
 class FrameCadenceAdapterSimulcastLayersParamTest
     : public ::testing::TestWithParam<int> {
  public: