This is reproducible in C backend as well. By applying this patch that adds some delays at the proper time, the UAF can be reproduced via `cubeb-test`. The delays are added in the same place exactly as those in the Attachment 9126802 [details] [diff].
```
% ./cubeb-test
Log level is DISABLED
Init cubeb backend: audiounit
collection device type is UNKNOWN
stream_init succeed
state is CUBEB_STATE_STARTED
stream_start succeed
press `q` to abort or `h` for help
q
state is CUBEB_STATE_STOPPED
1) <audiounit_stream_destroy> Force context-switch. Please fire a device-change event now!
// Need to manually change the default output device
2) <audiounit_reinit_stream_async> Sneak here when destroy_pending is 0. Then force context-switch.
3) <audiounit_stream_destroy> Executing destroy-task.
4) <audiounit_stream_destroy> destroy-task is done.
5) <audiounit_reinit_stream_async> Before executing reinit-task,
force context-switch to terminate the stream and context.
6) <audiounit_destroy> context is dropped.
Wait 10 seconds before ending this manual test.
7) <audiounit_reinit_stream_async> Executing reinit-task. (after stream is destroyed?)
8) touch stm->output_unit: 0x0
```
Bug 1614971 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This is reproducible in [C backend](https://github.com/kinetiknz/cubeb/blob/8fd6845c9e0473073d52f1d3a79b8af55f44c64c/src/cubeb_audiounit.cpp) as well. By applying this patch that adds some delays at the proper time, the UAF can be reproduced via `cubeb-test`. The delays are added in the same place exactly as those in the Attachment 9126802 [details] [diff]. ``` % ./cubeb-test Log level is DISABLED Init cubeb backend: audiounit collection device type is UNKNOWN stream_init succeed state is CUBEB_STATE_STARTED stream_start succeed press `q` to abort or `h` for help q state is CUBEB_STATE_STOPPED 1) <audiounit_stream_destroy> Force context-switch. Please fire a device-change event now! // Need to manually change the default output device 2) <audiounit_reinit_stream_async> Sneak here when destroy_pending is 0. Then force context-switch. 3) <audiounit_stream_destroy> Executing destroy-task. 4) <audiounit_stream_destroy> destroy-task is done. 5) <audiounit_reinit_stream_async> Before executing reinit-task, force context-switch to terminate the stream and context. 6) <audiounit_destroy> context is dropped. Wait 10 seconds before ending this manual test. 7) <audiounit_reinit_stream_async> Executing reinit-task. (after stream is destroyed?) 8) touch stm->output_unit: 0x0 ```
This is reproducible in [C backend](https://github.com/kinetiknz/cubeb/blob/8fd6845c9e0473073d52f1d3a79b8af55f44c64c/src/cubeb_audiounit.cpp) as well. By applying this patch that adds some delays at the proper time, the UAF can be reproduced via `cubeb-test`. The delays are added in the same place exactly as those in the Attachment 9126802 [details] [diff]. ``` % ./cubeb-test Log level is DISABLED Init cubeb backend: audiounit collection device type is UNKNOWN stream_init succeed state is CUBEB_STATE_STARTED stream_start succeed press `q` to abort or `h` for help q state is CUBEB_STATE_STOPPED 1) <audiounit_stream_destroy> Force context-switch. Please fire a device-change event now! // Need to manually change the default output device 2) <audiounit_reinit_stream_async> Sneak here when destroy_pending is 0. Then force context-switch. 3) <audiounit_stream_destroy> Executing destroy-task. 4) <audiounit_stream_destroy> destroy-task is done. 5) <audiounit_reinit_stream_async> Before executing reinit-task, force context-switch to terminate the stream and context. 6) <audiounit_destroy> context is dropped. Wait 10 seconds before ending this manual test. 7) <audiounit_reinit_stream_async> Executing reinit-task. (after stream is destroyed?) 8) touch stm->output_unit: 0x0 // This is actually UAF! ```