Diff
Modified: branches/safari-602-branch/LayoutTests/ChangeLog (207921 => 207922)
--- branches/safari-602-branch/LayoutTests/ChangeLog 2016-10-26 23:18:05 UTC (rev 207921)
+++ branches/safari-602-branch/LayoutTests/ChangeLog 2016-10-26 23:18:09 UTC (rev 207922)
@@ -1,5 +1,19 @@
2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+ Merge r207661. rdar://problem/28857478
+
+ 2016-10-21 Jer Noble <jer.no...@apple.com>
+
+ CRASH in SourceBuffer::sourceBufferPrivateDidReceiveSample + 2169
+ https://bugs.webkit.org/show_bug.cgi?id=163735
+
+ Reviewed by Eric Carlson.
+
+ * media/media-source/media-source-sample-wrong-track-id-expected.txt: Added.
+ * media/media-source/media-source-sample-wrong-track-id.html: Added.
+
+2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+
Merge r207631. rdar://problem/28810750
2016-10-20 Zalan Bujtas <za...@apple.com>
Added: branches/safari-602-branch/LayoutTests/media/media-source/media-source-sample-wrong-track-id-expected.txt (0 => 207922)
--- branches/safari-602-branch/LayoutTests/media/media-source/media-source-sample-wrong-track-id-expected.txt (rev 0)
+++ branches/safari-602-branch/LayoutTests/media/media-source/media-source-sample-wrong-track-id-expected.txt 2016-10-26 23:18:09 UTC (rev 207922)
@@ -0,0 +1,9 @@
+
+RUN(video.src = ""
+EVENT(sourceopen)
+RUN(sourceBuffer = source.addSourceBuffer("video/mock; codecs=mock"))
+Append a set of invalid, overlapping samples. Should not crash.
+RUN(sourceBuffer.appendBuffer(mediaSegment))
+EVENT(updateend)
+END OF TEST
+
Added: branches/safari-602-branch/LayoutTests/media/media-source/media-source-sample-wrong-track-id.html (0 => 207922)
--- branches/safari-602-branch/LayoutTests/media/media-source/media-source-sample-wrong-track-id.html (rev 0)
+++ branches/safari-602-branch/LayoutTests/media/media-source/media-source-sample-wrong-track-id.html 2016-10-26 23:18:09 UTC (rev 207922)
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>media-source-sample-wrong-track-id</title>
+ <script src=""
+ <script src=""
+ <script>
+ var source;
+ var sourceBuffer;
+ var initSegment;
+ var mediaSegment;
+
+ if (window.internals)
+ internals.initializeMockMediaSource();
+
+ function runTest() {
+ findMediaElement();
+
+ source = new MediaSource();
+ waitForEventOn(source, 'sourceopen', sourceOpen, false, true);
+ run('video.src = ""
+ }
+
+ function sourceOpen() {
+ run('sourceBuffer = source.addSourceBuffer("video/mock; codecs=mock")');
+ waitForEventOn(sourceBuffer, 'updateend', endTest);
+ consoleWrite('Append a set of invalid, overlapping samples. Should not crash.')
+ mediaSegment = concatenateSamples([
+ makeAInit(2, [makeATrack(1, 'mock', TRACK_KIND.AUDIO)]),
+ makeASample(1, 1, 1, 2, SAMPLE_FLAG.SYNC, 0),
+ makeASample(1, 0, 2, 2, SAMPLE_FLAG.SYNC, 0),
+ ]);
+ run('sourceBuffer.appendBuffer(mediaSegment)');
+ }
+ </script>
+</head>
+<body _onload_="runTest()">
+ <video></video>
+</body>
+</html>
Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (207921 => 207922)
--- branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-26 23:18:05 UTC (rev 207921)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-26 23:18:09 UTC (rev 207922)
@@ -1,5 +1,30 @@
2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+ Merge r207661. rdar://problem/28857478
+
+ 2016-10-21 Jer Noble <jer.no...@apple.com>
+
+ CRASH in SourceBuffer::sourceBufferPrivateDidReceiveSample + 2169
+ https://bugs.webkit.org/show_bug.cgi?id=163735
+
+ Reviewed by Eric Carlson.
+
+ Test: media/media-source/media-source-sample-wrong-track-id.html
+
+ When SourceBuffer receives a sample in sourceBufferPrivateDidReceiveSample() containing
+ a trackID not previously seen in an initialization segment, it creates a default TrackBuffer
+ object to contain that track's samples. One of the fields in TrackBuffer, description, is
+ normally filled out when an initialization segment is received, but with this default
+ TrackBuffer, it's still null when it's checked later in sourceBufferPrivateDidReceiveSample().
+
+ Rather than adding a null-check on trackBuffer.description, drop any sample that has a
+ trackID which was not present during a previous initialization segment.
+
+ * Modules/mediasource/SourceBuffer.cpp:
+ (WebCore::SourceBuffer::sourceBufferPrivateDidReceiveSample):
+
+2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+
Merge r207631. rdar://problem/28810750
2016-10-20 Zalan Bujtas <za...@apple.com>
Modified: branches/safari-602-branch/Source/WebCore/Modules/mediasource/SourceBuffer.cpp (207921 => 207922)
--- branches/safari-602-branch/Source/WebCore/Modules/mediasource/SourceBuffer.cpp 2016-10-26 23:18:05 UTC (rev 207921)
+++ branches/safari-602-branch/Source/WebCore/Modules/mediasource/SourceBuffer.cpp 2016-10-26 23:18:09 UTC (rev 207922)
@@ -1381,8 +1381,12 @@
// 1.5 Let track buffer equal the track buffer that the coded frame will be added to.
AtomicString trackID = sample->trackID();
auto it = m_trackBufferMap.find(trackID);
- if (it == m_trackBufferMap.end())
- it = m_trackBufferMap.add(trackID, TrackBuffer()).iterator;
+ if (it == m_trackBufferMap.end()) {
+ // The client managed to append a sample with a trackID not present in the initialization
+ // segment. This would be a good place to post an message to the developer console.
+ didDropSample();
+ return;
+ }
TrackBuffer& trackBuffer = it->value;
// 1.6 ↳ If last decode timestamp for track buffer is set and decode timestamp is less than last