Skip to content

media: fix heap-use-after-free in CobaltAudioRendererSink #9035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kjyoun wants to merge 3 commits into
base: main
Choose a base branch
from
Open

media: fix heap-use-after-free in CobaltAudioRendererSink #9035

kjyoun wants to merge 3 commits into from

Conversation

@kjyoun
Copy link
Contributor

@kjyoun kjyoun commented Feb 10, 2026
edited
Loading

Refactor CobaltAudioRendererSink to manage SbAudioSink lifecycle
with std::unique_ptr and a custom deleter. This guarantees proper
destruction of the audio sink when the renderer sink is destroyed or
reset.

This change prevents background ALSA threads from accessing a freed
SbAudioSink object, addressing a heap-use-after-free ASAN error seen
when UpdateSourceStatus was called on a freed instance.

Issue: 483384414

@kjyoun
cobalt/media/audio: fix heap-use-after-free in CobaltAudioRendererSink
063d009 
Use std::unique_ptr with a custom deleter for SbAudioSink to ensure
the audio sink is properly destroyed when CobaltAudioRendererSink is
destroyed. This prevents background ALSA threads from accessing the
freed sink object.

Fixes an ASAN error where UpdateSourceStatus was called on a freed
CobaltAudioRendererSink instance.

Bug: 483384414
Issue: 483384414
@kjyoun kjyoun changed the title cobalt/media/audio: fix heap-use-after-free in CobaltAudioRendererSink media: fix heap-use-after-free in CobaltAudioRendererSink Feb 10, 2026
@github-actions
Copy link

github-actions bot commented Feb 10, 2026

🤖 Gemini Suggested Commit Message

media: Fix heap-use-after-free in audio renderer sink

Refactor CobaltAudioRendererSink to manage SbAudioSink lifecycle
with std::unique_ptr and a custom deleter. This guarantees proper
destruction of the audio sink when the renderer sink is destroyed or
reset.

This change prevents background ALSA threads from accessing a freed
SbAudioSink object, addressing a heap-use-after-free ASAN error seen
when UpdateSourceStatus was called on a freed instance.

Bug: 483384414

💡 Pro Tips for a Better Commit Message:

  1. Influence the Result: Want to change the output? You can write custom prompts or instructions directly in the Pull Request description. The model uses that text to generate the message.
  2. Re-run the Generator: Post a comment with: /generate-commit-message

@kjyoun
Copy link
Contributor Author

kjyoun commented Feb 10, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively resolves a heap-use-after-free vulnerability in CobaltAudioRendererSink by employing a std::unique_ptr with a custom deleter to manage the lifecycle of SbAudioSink. This change correctly applies the RAII principle to ensure the audio sink is always deallocated, even in error paths or during object destruction. The implementation is solid and directly addresses the issue. I have one suggestion to introduce a type alias for the unique_ptr, which would improve code readability and maintainability.

@kjyoun kjyoun marked this pull request as ready for review February 10, 2026 19:34
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively addresses a heap-use-after-free bug by managing the SbAudioSink lifecycle with a std::unique_ptr and a custom deleter. This is a solid approach to ensure proper resource management. My review includes a few suggestions to align the implementation more closely with idiomatic C++ practices for handling C-style opaque pointers with smart pointers, which will improve code clarity and maintainability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sideb0ard sideb0ard Awaiting requested review from sideb0ard

@jellefoks jellefoks Awaiting requested review from jellefoks

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kjyoun