[Backport] CVE-2024-7536: Use after free in WebAudio

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5744142:
Avoid accessing unconnected outputs in AudioWorkletHandler, AudioHandler

This CL fixes the logic to zero out output buses regardless of the
outgoing connection status. If an output bus is not connected (or
disconnected), we should assume that the outgoing connection might
be stale.

This fix is verified locally by both the author and the reporter.

Bug: 354847246
Change-Id: If10c7bb816e50f7b88252aa9a981b53704724da0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5744142
Commit-Queue: Hongchan Choi <[email protected]>
Reviewed-by: Michael Wilson <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1334898}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/582138
Reviewed-by: Allan Sandfeld Jensen <[email protected]>

Author: hoch

chromium/third_party/blink/renderer/modules/webaudio/audio_handler.cc

@@ -398,7 +398,9 @@ bool AudioHandler::InputsAreSilent() {
 
 void AudioHandler::SilenceOutputs() {
   for (auto& output : outputs_) {
-    output->Bus()->Zero();
+    if (output->IsConnectedDuringRendering()) {
+      output->Bus()->Zero();
+    }
   }
 }
 

chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc

@@ -114,7 +114,9 @@ void AudioWorkletHandler::Process(uint32_t frames_to_process) {
   // state. If so, silence the connected outputs and return.
   if (!processor_ || processor_->hasErrorOccurred()) {
     for (unsigned i = 0; i < NumberOfOutputs(); ++i) {
-      Output(i).Bus()->Zero();
+      if (Output(i).IsConnectedDuringRendering()) {
+        Output(i).Bus()->Zero();
+      }
     }
     return;
   }