Diff
Modified: trunk/LayoutTests/ChangeLog (214617 => 214618)
--- trunk/LayoutTests/ChangeLog 2017-03-30 20:17:08 UTC (rev 214617)
+++ trunk/LayoutTests/ChangeLog 2017-03-30 20:17:08 UTC (rev 214618)
@@ -1,3 +1,13 @@
+2017-03-30 Eric Carlson <eric.carl...@apple.com>
+
+ [Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value
+ https://bugs.webkit.org/show_bug.cgi?id=169956
+
+ Reviewed by Youenn Fablet.
+
+ * webaudio/audiobuffer-crash-expected.txt: Added.
+ * webaudio/audiobuffer-crash.html: Added.
+
2017-03-30 Simon Fraser <simon.fra...@apple.com>
Add some tests that dump the touch event regions with various content configurations
Added: trunk/LayoutTests/webaudio/audiobuffer-crash-expected.txt (0 => 214618)
--- trunk/LayoutTests/webaudio/audiobuffer-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/webaudio/audiobuffer-crash-expected.txt 2017-03-30 20:17:08 UTC (rev 214618)
@@ -0,0 +1,11 @@
+Attempting to create a large AudioBuffer should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS context = new webkitAudioContext().createBuffer(1, -1, 44100) threw exception NotSupportedError (DOM Exception 9): The operation is not supported..
+PASS Test passed because if it didn't crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/webaudio/audiobuffer-crash.html (0 => 214618)
--- trunk/LayoutTests/webaudio/audiobuffer-crash.html (rev 0)
+++ trunk/LayoutTests/webaudio/audiobuffer-crash.html 2017-03-30 20:17:08 UTC (rev 214618)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script src=""
+ </head>
+ <body>
+ <script>
+ description("Attempting to create a large AudioBuffer should not crash.");
+ shouldThrow("context = new webkitAudioContext().createBuffer(1, -1, 44100)");
+ testPassed("Test passed because if it didn't crash.");
+ </script>
+
+ <script src=""
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (214617 => 214618)
--- trunk/Source/WebCore/ChangeLog 2017-03-30 20:17:08 UTC (rev 214617)
+++ trunk/Source/WebCore/ChangeLog 2017-03-30 20:17:08 UTC (rev 214618)
@@ -1,3 +1,19 @@
+2017-03-30 Eric Carlson <eric.carl...@apple.com>
+
+ [Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value
+ https://bugs.webkit.org/show_bug.cgi?id=169956
+
+ Reviewed by Youenn Fablet.
+
+ Test: webaudio/audiobuffer-crash.html
+
+ * Modules/webaudio/AudioBuffer.cpp:
+ (WebCore::AudioBuffer::AudioBuffer): Invalidate the object and return early if the channel
+ array allocation fails.
+ (WebCore::AudioBuffer::AudioBuffer): Ditto.
+ (WebCore::AudioBuffer::invalidate): Invalidate the object.
+ * Modules/webaudio/AudioBuffer.h:
+
2017-03-30 Antoine Quint <grao...@apple.com>
[mac-wk1] LayoutTest media/modern-media-controls/airplay-button/airplay-button.html is a flaky timeout
Modified: trunk/Source/WebCore/Modules/webaudio/AudioBuffer.cpp (214617 => 214618)
--- trunk/Source/WebCore/Modules/webaudio/AudioBuffer.cpp 2017-03-30 20:17:08 UTC (rev 214617)
+++ trunk/Source/WebCore/Modules/webaudio/AudioBuffer.cpp 2017-03-30 20:17:08 UTC (rev 214618)
@@ -43,7 +43,12 @@
{
if (sampleRate < 22050 || sampleRate > 96000 || numberOfChannels > AudioContext::maxNumberOfChannels() || !numberOfFrames)
return nullptr;
- return adoptRef(*new AudioBuffer(numberOfChannels, numberOfFrames, sampleRate));
+
+ auto buffer = adoptRef(*new AudioBuffer(numberOfChannels, numberOfFrames, sampleRate));
+ if (!buffer->m_length)
+ return nullptr;
+
+ return WTFMove(buffer);
}
RefPtr<AudioBuffer> AudioBuffer::createFromAudioFileData(const void* data, size_t dataSize, bool mixToMono, float sampleRate)
@@ -61,9 +66,14 @@
m_channels.reserveCapacity(numberOfChannels);
for (unsigned i = 0; i < numberOfChannels; ++i) {
- RefPtr<Float32Array> channelDataArray = Float32Array::create(m_length);
+ auto channelDataArray = Float32Array::create(m_length);
+ if (!channelDataArray) {
+ invalidate();
+ break;
+ }
+
channelDataArray->setNeuterable(false);
- m_channels.append(channelDataArray);
+ m_channels.append(WTFMove(channelDataArray));
}
}
@@ -76,6 +86,11 @@
m_channels.reserveCapacity(numberOfChannels);
for (unsigned i = 0; i < numberOfChannels; ++i) {
auto channelDataArray = Float32Array::create(m_length);
+ if (!channelDataArray) {
+ invalidate();
+ break;
+ }
+
channelDataArray->setNeuterable(false);
channelDataArray->setRange(bus.channel(i)->data(), m_length, 0);
m_channels.append(WTFMove(channelDataArray));
@@ -82,6 +97,12 @@
}
}
+void AudioBuffer::invalidate()
+{
+ releaseMemory();
+ m_length = 0;
+}
+
void AudioBuffer::releaseMemory()
{
m_channels.clear();
Modified: trunk/Source/WebCore/Modules/webaudio/AudioBuffer.h (214617 => 214618)
--- trunk/Source/WebCore/Modules/webaudio/AudioBuffer.h 2017-03-30 20:17:08 UTC (rev 214617)
+++ trunk/Source/WebCore/Modules/webaudio/AudioBuffer.h 2017-03-30 20:17:08 UTC (rev 214618)
@@ -69,6 +69,8 @@
AudioBuffer(unsigned numberOfChannels, size_t numberOfFrames, float sampleRate);
explicit AudioBuffer(AudioBus&);
+ void invalidate();
+
double m_gain { 1.0 }; // scalar gain
float m_sampleRate;
size_t m_length;