media: fix heap-use-after-free in CobaltAudioRendererSink (youtube#9035)

Refactor CobaltAudioRendererSink to manage SbAudioSink lifecycle
with std::unique_ptr and a custom deleter. This guarantees proper
destruction of the audio sink when the renderer sink is destroyed or
reset.

This change prevents background ALSA threads from accessing a freed
SbAudioSink object, addressing a heap-use-after-free ASAN error seen
when UpdateSourceStatus was called on a freed instance.

Issue: 483384414

Author: kjyoun

cobalt/media/audio/cobalt_audio_renderer_sink.cc

@@ -31,6 +31,10 @@ int AlignUp(int value, int alignment) {
 }
 }  // namespace
 
+void SbAudioSinkDeleter::operator()(SbAudioSink sink) const {
+  SbAudioSinkDestroy(sink);
+}
+
 void CobaltAudioRendererSink::Initialize(const AudioParameters& params,
                                          RenderCallback* callback) {
   LOG(INFO) << "CobaltAudioRendererSink::Initialize - called with following "
@@ -78,17 +82,17 @@ void CobaltAudioRendererSink::Start() {
   }
 
   output_frame_buffers_[0] = output_frame_buffer_.get();
-  audio_sink_ = SbAudioSinkCreate(
+  audio_sink_ = AudioSinkUniquePtr(SbAudioSinkCreate(
       params_.channels(), nearest_supported_sample_rate_, output_sample_type_,
       kSbMediaAudioFrameStorageTypeInterleaved, &output_frame_buffers_[0],
       frames_per_channel_, &CobaltAudioRendererSink::UpdateSourceStatusFunc,
-      &CobaltAudioRendererSink::ConsumeFramesFunc, this);
-  DCHECK(SbAudioSinkIsValid(audio_sink_));
+      &CobaltAudioRendererSink::ConsumeFramesFunc, /*context=*/this));
+  CHECK(audio_sink_);
 }
 
 void CobaltAudioRendererSink::Stop() {
   is_eos_reached_.store(true);
-  SbAudioSinkDestroy(audio_sink_);
+  audio_sink_.reset();
   callback_ = nullptr;
 }
 
@@ -101,22 +105,22 @@ void CobaltAudioRendererSink::Pause() {
 }
 
 void CobaltAudioRendererSink::Flush() {
-  if (!SbAudioSinkIsValid(audio_sink_)) {
+  if (!audio_sink_) {
     return;
   }
   // TODO(b/390468794) consolidate this recreation as it duplicates code from
   // Stop() and Start()
-  SbAudioSinkDestroy(audio_sink_);
+  audio_sink_.reset();
   frames_rendered_ = 0;
   frames_consumed_ = 0;
-  audio_sink_ = SbAudioSinkCreate(
+  audio_sink_ = AudioSinkUniquePtr(SbAudioSinkCreate(
       params_.channels(),
       SbAudioSinkGetNearestSupportedSampleFrequency(params_.sample_rate()),
       output_sample_type_, kSbMediaAudioFrameStorageTypeInterleaved,
       &output_frame_buffers_[0], frames_per_channel_,
       &CobaltAudioRendererSink::UpdateSourceStatusFunc,
-      &CobaltAudioRendererSink::ConsumeFramesFunc, this);
-  DCHECK(SbAudioSinkIsValid(audio_sink_));
+      &CobaltAudioRendererSink::ConsumeFramesFunc, /*context=*/this));
+  CHECK(audio_sink_);
 }
 
 bool CobaltAudioRendererSink::SetVolume(double volume) {

cobalt/media/audio/cobalt_audio_renderer_sink.h

@@ -16,6 +16,7 @@
 #define COBALT_MEDIA_AUDIO_COBALT_AUDIO_RENDERER_SINK_H_
 
 #include <atomic>
+#include <memory>
 
 #include "media/base/audio_renderer_sink.h"
 #include "media/base/media_export.h"
@@ -24,6 +25,12 @@
 
 namespace media {
 
+// Custom deleter for Starboard Audio Sink.
+struct SbAudioSinkDeleter {
+  using pointer = SbAudioSink;
+  void operator()(SbAudioSink sink) const;
+};
+
 class MEDIA_EXPORT CobaltAudioRendererSink final : public AudioRendererSink {
  public:
   CobaltAudioRendererSink() = default;
@@ -84,7 +91,8 @@ class MEDIA_EXPORT CobaltAudioRendererSink final : public AudioRendererSink {
   std::atomic<bool> is_playing_ = false;
   std::atomic<bool> is_eos_reached_ = false;
 
-  SbAudioSink audio_sink_ = kSbAudioSinkInvalid;
+  using AudioSinkUniquePtr = std::unique_ptr<SbAudioSink, SbAudioSinkDeleter>;
+  AudioSinkUniquePtr audio_sink_;
 
   double resample_ratio_ = 1.0;
   std::unique_ptr<MultiChannelResampler> resampler_ = nullptr;