Closed emaxx-google closed 9 months ago
Looks like the use-after-free is happening in this line that dereferences a freshly added transfer
: https://github.com/GoogleChromeLabs/chromeos_smart_card_connector/blob/df83738650e975dbbaa4ffb9712abfe33b60faf2/third_party/libusb/webport/src/libusb_js_proxy.cc#L862
The problem seems to be that this transfer might've been already processed and freed by the other thread, because after the AddAsyncTransferInFlight()
call above this transfer is placed into a data structure that's visible by other threads and, in case there's already a matching previously obtained transfer result, can be resolved by another thread immediately.
This was discovered after writing a test that involves multiple readers: #1088.