Diff
Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (214810 => 214811)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-04-03 17:12:27 UTC (rev 214810)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-04-03 17:15:03 UTC (rev 214811)
@@ -1,3 +1,13 @@
+2017-03-30 Eric Carlson <eric.carl...@apple.com>
+
+ [Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value
+ https://bugs.webkit.org/show_bug.cgi?id=169956
+
+ Reviewed by Youenn Fablet.
+
+ * webaudio/audiobuffer-crash-expected.txt: Added.
+ * webaudio/audiobuffer-crash.html: Added.
+
2017-03-29 Ryosuke Niwa <rn...@webkit.org>
Disconnecting a HTMLObjectElement does not always unload its content document
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/webaudio/audiobuffer-crash-expected.txt (0 => 214811)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/webaudio/audiobuffer-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/webaudio/audiobuffer-crash-expected.txt 2017-04-03 17:15:03 UTC (rev 214811)
@@ -0,0 +1,11 @@
+Attempting to create a large AudioBuffer should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS context = new webkitAudioContext().createBuffer(1, -1, 44100) threw exception NotSupportedError (DOM Exception 9): The operation is not supported..
+PASS Test passed because if it didn't crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/webaudio/audiobuffer-crash.html (0 => 214811)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/webaudio/audiobuffer-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/webaudio/audiobuffer-crash.html 2017-04-03 17:15:03 UTC (rev 214811)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script src=""
+ </head>
+ <body>
+ <script>
+ description("Attempting to create a large AudioBuffer should not crash.");
+ shouldThrow("context = new webkitAudioContext().createBuffer(1, -1, 44100)");
+ testPassed("Test passed because if it didn't crash.");
+ </script>
+
+ <script src=""
+ </body>
+</html>
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (214810 => 214811)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-04-03 17:12:27 UTC (rev 214810)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-04-03 17:15:03 UTC (rev 214811)
@@ -1,3 +1,19 @@
+2017-03-30 Eric Carlson <eric.carl...@apple.com>
+
+ [Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value
+ https://bugs.webkit.org/show_bug.cgi?id=169956
+
+ Reviewed by Youenn Fablet.
+
+ Test: webaudio/audiobuffer-crash.html
+
+ * Modules/webaudio/AudioBuffer.cpp:
+ (WebCore::AudioBuffer::AudioBuffer): Invalidate the object and return early if the channel
+ array allocation fails.
+ (WebCore::AudioBuffer::AudioBuffer): Ditto.
+ (WebCore::AudioBuffer::invalidate): Invalidate the object.
+ * Modules/webaudio/AudioBuffer.h:
+
2017-03-29 Ryosuke Niwa <rn...@webkit.org>
Disconnecting a HTMLObjectElement does not always unload its content document
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/webaudio/AudioBuffer.cpp (214810 => 214811)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/webaudio/AudioBuffer.cpp 2017-04-03 17:12:27 UTC (rev 214810)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/webaudio/AudioBuffer.cpp 2017-04-03 17:15:03 UTC (rev 214811)
@@ -43,7 +43,12 @@
{
if (sampleRate < 22050 || sampleRate > 96000 || numberOfChannels > AudioContext::maxNumberOfChannels() || !numberOfFrames)
return nullptr;
- return adoptRef(*new AudioBuffer(numberOfChannels, numberOfFrames, sampleRate));
+
+ auto buffer = adoptRef(*new AudioBuffer(numberOfChannels, numberOfFrames, sampleRate));
+ if (!buffer->m_length)
+ return nullptr;
+
+ return WTFMove(buffer);
}
RefPtr<AudioBuffer> AudioBuffer::createFromAudioFileData(const void* data, size_t dataSize, bool mixToMono, float sampleRate)
@@ -61,9 +66,14 @@
m_channels.reserveCapacity(numberOfChannels);
for (unsigned i = 0; i < numberOfChannels; ++i) {
- RefPtr<Float32Array> channelDataArray = Float32Array::create(m_length);
+ auto channelDataArray = Float32Array::create(m_length);
+ if (!channelDataArray) {
+ invalidate();
+ break;
+ }
+
channelDataArray->setNeuterable(false);
- m_channels.append(channelDataArray);
+ m_channels.append(WTFMove(channelDataArray));
}
}
@@ -76,6 +86,11 @@
m_channels.reserveCapacity(numberOfChannels);
for (unsigned i = 0; i < numberOfChannels; ++i) {
auto channelDataArray = Float32Array::create(m_length);
+ if (!channelDataArray) {
+ invalidate();
+ break;
+ }
+
channelDataArray->setNeuterable(false);
channelDataArray->setRange(bus.channel(i)->data(), m_length, 0);
m_channels.append(WTFMove(channelDataArray));
@@ -82,6 +97,12 @@
}
}
+void AudioBuffer::invalidate()
+{
+ releaseMemory();
+ m_length = 0;
+}
+
void AudioBuffer::releaseMemory()
{
m_channels.clear();
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/webaudio/AudioBuffer.h (214810 => 214811)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/webaudio/AudioBuffer.h 2017-04-03 17:12:27 UTC (rev 214810)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/webaudio/AudioBuffer.h 2017-04-03 17:15:03 UTC (rev 214811)
@@ -69,6 +69,8 @@
AudioBuffer(unsigned numberOfChannels, size_t numberOfFrames, float sampleRate);
explicit AudioBuffer(AudioBus&);
+ void invalidate();
+
double m_gain { 1.0 }; // scalar gain
float m_sampleRate;
size_t m_length;
