From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "mark a. foltz" <mfoltz@chromium.org>
Date: Mon, 17 Jun 2024 23:07:32 +0000
Subject: Retain refptr to shared helper to prevent UAF.

Capture a reference to the shared helper in the onerror handler to
prevent a UAF that can occur when the browser drops the mojo
connection.

Bug: 346692546
Change-Id: Ifb264488a6fa8417c134a34d902605d2c141720b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5634908
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Mark Foltz <mfoltz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1316145}

diff --git a/media/audio/mac/audio_loopback_input_mac_impl.mm b/media/audio/mac/audio_loopback_input_mac_impl.mm
index 7b301492f17a3f1da96b8ff990f6deeb4a19b6e3..f90c00e668f58c2389e622466422ae7aa237c94d 100644
--- a/media/audio/mac/audio_loopback_input_mac_impl.mm
+++ b/media/audio/mac/audio_loopback_input_mac_impl.mm
@@ -394,12 +394,15 @@ - (void)stream:(SCStream*)stream
       base::BindRepeating(&SCKAudioInputStream::OnStreamError,
                           base::Unretained(this)));
 
+  // Make a local copy of the shared_refptr in case the error handler is called
+  // after `this` is destroyed.
+  auto local_shared_helper = shared_helper_;
   [stream_ startCaptureWithCompletionHandler:^(NSError* error) {
     if (!error) {
       return;
     }
 
-    shared_helper_->OnStreamError(error);
+    local_shared_helper->OnStreamError(error);
   }];
 }