[Backport] CVE-2024-11112: Use after free in Media

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5910432:
avoid heap-use-after-free in OverlayStateObserverImpl::Create

In PS38 of
https://chromium-review.googlesource.com/c/chromium/src/+/3403933/37..38,
`scoped_refptr<OverlayStateServiceProvider>` parameter of
`OverlayStateObserverImpl::Create()' was changed into
`OverlayStateServiceProvider*`. This causes the heap-use-after-free
issue described in https://issuetracker.google.com/issues/354824998.

This CL is to follow existing code pattern of producing `scoped_refptr`
in `RenderThreadImpl::GetStreamTextureFactory()`/
`RenderThreadImpl::GetDCOMPTextureFactor()` instead of returning a raw
pointer in `RenderThreadImpl::GetOverlayStateServiceProvider()`.

Bug: 354824998
Change-Id: Ic188bf18b28a5f024488bd92fb11f6fca6c5d05a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5910432
Reviewed-by: Dale Curtis <[email protected]>
Reviewed-by: Daniel Cheng <[email protected]>
Commit-Queue: Frank Li <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1368423}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/607607
Reviewed-by: Anu Aliyas <[email protected]>

Author: FrankLi-MSFT

chromium/content/renderer/media/media_factory.cc

@@ -690,7 +690,7 @@ MediaFactory::CreateRendererFactorySelector(
 
     media::ObserveOverlayStateCB observe_overlay_state_cb =
         base::BindRepeating(&OverlayStateObserverImpl::Create,
-                            render_thread->GetOverlayStateServiceProvider());
+                            base::RetainedRef(render_thread->GetOverlayStateServiceProvider()));
 
     factory_selector->AddFactory(
         RendererType::kMediaFoundation,

chromium/content/renderer/media/win/overlay_state_observer_impl.cc

@@ -16,7 +16,7 @@ OverlayStateObserverImpl::Create(
     StateChangedCB state_changed_cb) {
   if (overlay_state_service_provider) {
     return base::WrapUnique(new OverlayStateObserverImpl(
-        overlay_state_service_provider, mailbox, state_changed_cb));
+        overlay_state_service_provider, mailbox, std::move(state_changed_cb)));
   }
   return nullptr;
 }

chromium/content/renderer/media/win/overlay_state_service_provider.h

@@ -15,11 +15,19 @@ class GpuChannelHost;
 
 namespace content {
 
-class OverlayStateServiceProvider {
+class OverlayStateServiceProvider
+    : public base::RefCountedThreadSafe<OverlayStateServiceProvider> {
  public:
   virtual bool RegisterObserver(
       mojo::PendingRemote<gpu::mojom::OverlayStateObserver> pending_remote,
       const gpu::Mailbox& mailbox) = 0;
+
+ protected:
+  friend class base::RefCountedThreadSafe<OverlayStateServiceProvider>;
+  OverlayStateServiceProvider() = default;
+  OverlayStateServiceProvider(const OverlayStateServiceProvider&) = delete;
+  OverlayStateServiceProvider& operator=(const OverlayStateServiceProvider&) =
+      delete;
   virtual ~OverlayStateServiceProvider() = default;
 };
 
@@ -29,7 +37,6 @@ class OverlayStateServiceProviderImpl : public OverlayStateServiceProvider {
  public:
   explicit OverlayStateServiceProviderImpl(
       scoped_refptr<gpu::GpuChannelHost> channel);
-  ~OverlayStateServiceProviderImpl() override;
 
   bool RegisterObserver(
       mojo::PendingRemote<gpu::mojom::OverlayStateObserver> pending_remote,
@@ -43,6 +50,7 @@ class OverlayStateServiceProviderImpl : public OverlayStateServiceProvider {
       delete;
   OverlayStateServiceProviderImpl& operator=(
       const OverlayStateServiceProviderImpl&) = delete;
+  ~OverlayStateServiceProviderImpl() override;
 
   scoped_refptr<gpu::GpuChannelHost> channel_;
 };

chromium/content/renderer/render_thread_impl.cc

@@ -1268,7 +1268,7 @@ scoped_refptr<DCOMPTextureFactory> RenderThreadImpl::GetDCOMPTextureFactory() {
   return dcomp_texture_factory_;
 }
 
-OverlayStateServiceProvider*
+scoped_refptr<OverlayStateServiceProvider>
 RenderThreadImpl::GetOverlayStateServiceProvider() {
   DCHECK(IsMainThread());
   // Only set 'overlay_state_service_provider_' if Media Foundation for clear
@@ -1282,11 +1282,12 @@ RenderThreadImpl::GetOverlayStateServiceProvider() {
         return nullptr;
       }
       overlay_state_service_provider_ =
-          std::make_unique<OverlayStateServiceProviderImpl>(std::move(channel));
+          base::MakeRefCounted<OverlayStateServiceProviderImpl>(
+              std::move(channel));
     }
   }
 
-  return overlay_state_service_provider_.get();
+  return overlay_state_service_provider_;
 }
 #endif  // BUILDFLAG(IS_WIN)
 

chromium/content/renderer/render_thread_impl.h

@@ -265,7 +265,7 @@ class CONTENT_EXPORT RenderThreadImpl
   // The OverlayStateService is only available where Media Foundation for
   // clear is supported, otherwise GetOverlayStateServiceProvider will return
   // nullptr.
-  OverlayStateServiceProvider* GetOverlayStateServiceProvider();
+  scoped_refptr<OverlayStateServiceProvider> GetOverlayStateServiceProvider();
 #endif
 
   blink::WebVideoCaptureImplManager* video_capture_impl_manager() const {
@@ -530,7 +530,7 @@ class CONTENT_EXPORT RenderThreadImpl
 
 #if BUILDFLAG(IS_WIN)
   scoped_refptr<DCOMPTextureFactory> dcomp_texture_factory_;
-  std::unique_ptr<OverlayStateServiceProviderImpl>
+  scoped_refptr<OverlayStateServiceProviderImpl>
       overlay_state_service_provider_;
 #endif