Bug 1428684 - reduce the chance of UAF when changing states of MDSM. r=kaku

SetState() will delete the current state object and UAF will happen if members are accessed after this call. However, sometimes it is not obvious if SetState() is called indirectly as we do in MaybeFinishSeek(). To make it less error-prone, we will keep the old state object alive for a bit longer and set mMaster to null to catch potential UAF. MozReview-Commit-ID: Aqxj92ETjti --HG-- extra : rebase_source : 21b4a0b6df2b1723eed01b6c9d58b33b8dcc6405
2018-01-08 11:41:59 +08:00 · 2018-01-08 11:41:59 +08:00 · 29bae87780
--- a/dom/media/MediaDecoderStateMachine.cpp
+++ b/dom/media/MediaDecoderStateMachine.cpp
@ -290,8 +290,7 @@ protected:
    // the elements of the Tuple into the final function call.
    auto copiedArgs = MakeTuple(Forward<Ts>(aArgs)...);

-    // keep mMaster in a local object because mMaster will become invalid after
-    // the current state object is deleted.
+    // Copy mMaster which will reset to null.
    auto master = mMaster;

    auto* s = new S(master);
@ -303,6 +302,14 @@ protected:

    Exit();

+    // Delete the old state asynchronously to avoid UAF if the caller tries to
+    // access its members after SetState() returns.
+    master->OwnerThread()->DispatchDirectTask(
+      NS_NewRunnableFunction("MDSM::StateObject::DeleteOldState",
+                             [toDelete = Move(master->mStateObj)](){}));
+    // Also reset mMaster to catch potentail UAF.
+    mMaster = nullptr;
+
    master->mStateObj.reset(s);
    return CallEnterMemberFunction(s, copiedArgs,
                                   typename IndexSequenceFor<Ts...>::Type());