[webkit-changes] [235890] trunk/Source/WebCore

[philn]

Title: [235890] trunk/Source/WebCore

Revision

235890

Author

ph...@webkit.org

Date

2018-09-11 01:20:13 -0700 (Tue, 11 Sep 2018)

Log Message

[GStreamer] use-after-free in MockVideoCaptureSource
https://bugs.webkit.org/show_bug.cgi?id=189462

Reviewed by Xabier Rodriguez-Calvar.

* platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:
(WebCore::WrappedMockRealtimeVideoSource::updateSampleBuffer):
Copy the BGRA data before passing ownership to GStreamer. Also
include a few code style cosmetic changes.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (235889 => 235890)

--- trunk/Source/WebCore/ChangeLog	2018-09-11 08:14:48 UTC (rev 235889)
+++ trunk/Source/WebCore/ChangeLog	2018-09-11 08:20:13 UTC (rev 235890)
@@ -1,3 +1,15 @@
+2018-09-11  Philippe Normand  <pnorm...@igalia.com>
+
+        [GStreamer] use-after-free in MockVideoCaptureSource
+        https://bugs.webkit.org/show_bug.cgi?id=189462
+
+        Reviewed by Xabier Rodriguez-Calvar.
+
+        * platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:
+        (WebCore::WrappedMockRealtimeVideoSource::updateSampleBuffer):
+        Copy the BGRA data before passing ownership to GStreamer. Also
+        include a few code style cosmetic changes.
+
 2018-09-11  Jiewen Tan  <jiewen_...@apple.com>
 
         [WebAuthN] Polish AuthenticatorManager and rename it to AuthenticatorCoordinator

Modified: trunk/Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp (235889 => 235890)

--- trunk/Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp	2018-09-11 08:14:48 UTC (rev 235889)
+++ trunk/Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp	2018-09-11 08:20:13 UTC (rev 235890)
@@ -40,28 +40,24 @@
 
     void updateSampleBuffer()
     {
-        int fpsNumerator, fpsDenominator;
         auto imageBuffer = this->imageBuffer();
-
         if (!imageBuffer)
             return;
 
+        int fpsNumerator, fpsDenominator;
         gst_util_double_to_fraction(frameRate(), &fpsNumerator, &fpsDenominator);
+        auto imageSize = imageBuffer->internalSize();
+        auto caps = adoptGRef(gst_caps_new_simple("video/x-raw",
+            "format", G_TYPE_STRING, "BGRA",
+            "width", G_TYPE_INT, imageSize.width(),
+            "height", G_TYPE_INT, imageSize.height(),
+            "framerate", GST_TYPE_FRACTION, fpsNumerator, fpsDenominator, nullptr));
         auto data = ""
         auto size = data.size();
-        auto image_size = imageBuffer->internalSize();
-        auto gstsample = gst_sample_new(gst_buffer_new_wrapped(static_cast<guint8*>(data.releaseBuffer().get()), size),
-            adoptGRef(gst_caps_new_simple("video/x-raw",
-                "format", G_TYPE_STRING, "BGRA",
-                "width", G_TYPE_INT, image_size.width(),
-                "height", G_TYPE_INT, image_size.height(),
-                "framerate", GST_TYPE_FRACTION, fpsNumerator, fpsDenominator,
-                nullptr)).get(),
-            nullptr, nullptr);
+        auto buffer = adoptGRef(gst_buffer_new_wrapped(g_memdup(data.releaseBuffer().get(), size), size));
+        auto gstSample = adoptGRef(gst_sample_new(buffer.get(), caps.get(), nullptr, nullptr));
 
-        auto sample = MediaSampleGStreamer::create(WTFMove(gstsample),
-            WebCore::FloatSize(), String());
-        videoSampleAvailable(sample);
+        videoSampleAvailable(MediaSampleGStreamer::create(WTFMove(gstSample), FloatSize(), String()));
     }
 };
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes