From 0eefa5aa1d89fbc958bbd870e9cf240555263c58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=82=B5=E4=BF=8A=E6=9D=B0?= <shaojunjie5@huawei.com>
Date: Wed, 30 Apr 2025 01:31:27 +0000
Subject: [PATCH] fix uaf
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 邵俊杰 <shaojunjie5@huawei.com>
---
 frameworks/js/avplayer/avplayer_napi.cpp | 6 ++++++
 frameworks/js/avplayer/avplayer_napi.h   | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/frameworks/js/avplayer/avplayer_napi.cpp b/frameworks/js/avplayer/avplayer_napi.cpp
index f57526823..f2d846ebb 100644
--- a/frameworks/js/avplayer/avplayer_napi.cpp
+++ b/frameworks/js/avplayer/avplayer_napi.cpp
@@ -716,6 +716,7 @@ napi_value AVPlayerNapi::JsRelease(napi_env env, napi_callback_info info)
     size_t argCount = 1;
     AVPlayerNapi *jsPlayer = AVPlayerNapi::GetJsInstanceWithParameter(env, info, argCount, args);
     CHECK_AND_RETURN_RET_LOG(jsPlayer != nullptr, result, "failed to GetJsInstance");
+    jsPlayer->isReadyReleased_.store(true);
     promiseCtx->callbackRef = CommonNapi::CreateReference(env, args[0]);
     promiseCtx->deferred = CommonNapi::CreatePromise(env, promiseCtx->callbackRef, result);
     MEDIA_LOGI("0x%{public}06" PRIXPTR " JsRelease EnqueueTask In", FAKE_POINTER(jsPlayer));
@@ -3394,6 +3395,11 @@ napi_value AVPlayerNapi::JsIsSeekContinuousSupported(napi_env env, napi_callback
     size_t argCount = 0;
     AVPlayerNapi *jsPlayer = AVPlayerNapi::GetJsInstanceWithParameter(env, info, argCount, nullptr);
     CHECK_AND_RETURN_RET_LOG(jsPlayer != nullptr, result, "failed to GetJsInstance");
+    if (jsPlayer->isReadyReleased_.load()) {
+        status = napi_get_boolean(env, false, &result);
+        CHECK_AND_RETURN_RET_LOG(status == napi_ok, result, "napi_get_boolean failed");
+        return result;
+    }
     if (jsPlayer->player_ != nullptr) {
         isSeekContinuousSupported = jsPlayer->player_->IsSeekContinuousSupported();
         status = napi_get_boolean(env, isSeekContinuousSupported, &result);
diff --git a/frameworks/js/avplayer/avplayer_napi.h b/frameworks/js/avplayer/avplayer_napi.h
index 6c9a42aa8..2688e5171 100644
--- a/frameworks/js/avplayer/avplayer_napi.h
+++ b/frameworks/js/avplayer/avplayer_napi.h
@@ -435,6 +435,8 @@ private:
     int32_t mode_ = SWITCH_SMOOTH;
     std::mutex syncMutex_;
     bool getApiVersionFlag_ = true;
+
+    std::atomic<bool> isReadyReleased_ = false;
 };
 } // namespace Media
 } // namespace OHOS
-- 
Gitee