[webkit-changes] [206023] trunk/Source/WebCore

[jer . noble]

Title: [206023] trunk/Source/WebCore

Revision

206023

Author

jer.no...@apple.com

Date

2016-09-16 09:20:13 -0700 (Fri, 16 Sep 2016)

Log Message

[media-source] ASAN crash running imported/w3c/web-platform-tests/media-source/mediasource-remove.html
https://bugs.webkit.org/show_bug.cgi?id=162050

Reviewed by Brent Fulgham.

SampleMap::removeSample() was accessing the passed-in sample after removing it from its own storage. If
the SampleMap held the last reference to the sample, it would end up acessing freed memory. Fix the
post-removal access, but also ensure that the caller, SourceBuffer::removeCodedFrames(), retains the
sample it passes into removeSample().

* Modules/mediasource/SampleMap.cpp:
(WebCore::SampleMap::removeSample):
* Modules/mediasource/SourceBuffer.cpp:
(WebCore::SourceBuffer::removeCodedFrames):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/Modules/mediasource/SampleMap.cpp
• trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (206022 => 206023)

--- trunk/Source/WebCore/ChangeLog	2016-09-16 13:08:31 UTC (rev 206022)
+++ trunk/Source/WebCore/ChangeLog	2016-09-16 16:20:13 UTC (rev 206023)
@@ -1,3 +1,20 @@
+2016-09-16  Jer Noble  <jer.no...@apple.com>
+
+        [media-source] ASAN crash running imported/w3c/web-platform-tests/media-source/mediasource-remove.html
+        https://bugs.webkit.org/show_bug.cgi?id=162050
+
+        Reviewed by Brent Fulgham.
+
+        SampleMap::removeSample() was accessing the passed-in sample after removing it from its own storage. If
+        the SampleMap held the last reference to the sample, it would end up acessing freed memory. Fix the
+        post-removal access, but also ensure that the caller, SourceBuffer::removeCodedFrames(), retains the
+        sample it passes into removeSample().
+
+        * Modules/mediasource/SampleMap.cpp:
+        (WebCore::SampleMap::removeSample):
+        * Modules/mediasource/SourceBuffer.cpp:
+        (WebCore::SourceBuffer::removeCodedFrames):
+
 2016-09-16  Javier Fernandez  <jfernan...@igalia.com>
 
         [GTK] Unreviewed build fix after r206007.

Modified: trunk/Source/WebCore/Modules/mediasource/SampleMap.cpp (206022 => 206023)

--- trunk/Source/WebCore/Modules/mediasource/SampleMap.cpp	2016-09-16 13:08:31 UTC (rev 206022)
+++ trunk/Source/WebCore/Modules/mediasource/SampleMap.cpp	2016-09-16 16:20:13 UTC (rev 206023)
@@ -125,12 +125,11 @@
     ASSERT(sample);
     MediaTime presentationTime = sample->presentationTime();
 
-    presentationOrder().m_samples.erase(presentationTime);
+    m_totalSize -= sample->sizeInBytes();
 
     auto decodeKey = DecodeOrderSampleMap::KeyType(sample->decodeTime(), presentationTime);
+    presentationOrder().m_samples.erase(presentationTime);
     decodeOrder().m_samples.erase(decodeKey);
-
-    m_totalSize -= sample->sizeInBytes();
 }
 
 PresentationOrderSampleMap::iterator PresentationOrderSampleMap::findSampleWithPresentationTime(const MediaTime& time)

Modified: trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp (206022 => 206023)

--- trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp	2016-09-16 13:08:31 UTC (rev 206022)
+++ trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp	2016-09-16 16:20:13 UTC (rev 206023)
@@ -770,16 +770,17 @@
             auto sampleIterator = trackBuffer.samples.presentationOrder().findSampleContainingPresentationTime(time);
             if (sampleIterator == trackBuffer.samples.presentationOrder().end())
                 return;
-            if (!sampleIterator->second->isDivisable())
+            RefPtr<MediaSample> sample = sampleIterator->second;
+            if (!sample->isDivisable())
                 return;
-            std::pair<RefPtr<MediaSample>, RefPtr<MediaSample>> replacementSamples = sampleIterator->second->divide(time);
+            std::pair<RefPtr<MediaSample>, RefPtr<MediaSample>> replacementSamples = sample->divide(time);
             if (!replacementSamples.first || !replacementSamples.second)
                 return;
             LOG(MediaSource, "SourceBuffer::removeCodedFrames(%p) - splitting sample (%s) into\n\t(%s)\n\t(%s)", this,
-                toString(sampleIterator->second).utf8().data(),
+                toString(sample).utf8().data(),
                 toString(replacementSamples.first).utf8().data(),
                 toString(replacementSamples.second).utf8().data());
-            trackBuffer.samples.removeSample(sampleIterator->second.get());
+            trackBuffer.samples.removeSample(sample.get());
             trackBuffer.samples.addSample(*replacementSamples.first);
             trackBuffer.samples.addSample(*replacementSamples.second);
         };

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes