Title: [238918] branches/safari-606-branch/Source/WebCore
- Revision
- 238918
- Author
- [email protected]
- Date
- 2018-12-05 16:26:27 -0800 (Wed, 05 Dec 2018)
Log Message
Apply patch. rdar://problem/46085280
Modified Paths
Diff
Modified: branches/safari-606-branch/Source/WebCore/ChangeLog (238917 => 238918)
--- branches/safari-606-branch/Source/WebCore/ChangeLog 2018-12-06 00:13:46 UTC (rev 238917)
+++ branches/safari-606-branch/Source/WebCore/ChangeLog 2018-12-06 00:26:27 UTC (rev 238918)
@@ -1,5 +1,29 @@
2018-12-05 Alan Coon <[email protected]>
+ Apply patch. rdar://problem/46085280
+
+ 2018-12-05 Brent Fulgham <[email protected]>
+
+ Lifetime of HTMLMediaElement is not properly handled in asynchronous actions
+ https://bugs.webkit.org/show_bug.cgi?id=192087
+ <rdar://problem/45975230>
+
+ Reviewed by Dean Jackson.
+
+ The HTMLMediaElement performs operations that allow arbitrary _javascript_ to run. We need to make
+ sure the active media element is protected until those calls complete.
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::didFinishInsertingNode):
+ (WebCore::HTMLMediaElement::exitFullscreen):
+ (WebCore::HTMLMediaElement::markCaptionAndSubtitleTracksAsUnconfigured):
+ (WebCore::HTMLMediaElement::scheduleConfigureTextTracks):
+ (WebCore::HTMLMediaElement::scheduleMediaEngineWasUpdated):
+ (WebCore::HTMLMediaElement::scheduleUpdatePlayState):
+ (WebCore::HTMLMediaElement::scheduleUpdateMediaState):
+
+2018-12-05 Alan Coon <[email protected]>
+
Apply patch. rdar://problem/45997392
2018-12-05 Jiewen Tan <[email protected]>
Modified: branches/safari-606-branch/Source/WebCore/html/HTMLMediaElement.cpp (238917 => 238918)
--- branches/safari-606-branch/Source/WebCore/html/HTMLMediaElement.cpp 2018-12-06 00:13:46 UTC (rev 238917)
+++ branches/safari-606-branch/Source/WebCore/html/HTMLMediaElement.cpp 2018-12-06 00:26:27 UTC (rev 238918)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -954,6 +954,8 @@
void HTMLMediaElement::didFinishInsertingNode()
{
+ Ref<HTMLMediaElement> protectedThis(*this); // prepareForLoad may result in a 'beforeload' event, which can make arbitrary DOM mutations.
+
if (m_inActiveDocument && m_networkState == NETWORK_EMPTY && !attributeWithoutSynchronization(srcAttr).isEmpty())
prepareForLoad();
@@ -5950,6 +5952,7 @@
VideoFullscreenMode oldVideoFullscreenMode = m_videoFullscreenMode;
fullscreenModeChanged(VideoFullscreenModeNone);
#if ENABLE(MEDIA_CONTROLS_SCRIPT)
+ Ref<HTMLMediaElement> protectedThis(*this); // updateMediaControlsAfterPresentationModeChange calls methods that can trigger arbitrary DOM mutations.
updateMediaControlsAfterPresentationModeChange();
#endif
if (hasMediaControls())
@@ -6505,9 +6508,10 @@
m_processingPreferenceChange = true;
clearFlags(m_pendingActionFlags, ConfigureTextTracks);
- if (mode == Immediately)
+ if (mode == Immediately) {
+ Ref<HTMLMediaElement> protectedThis(*this); // configureTextTracks calls methods that can trigger arbitrary DOM mutations.
configureTextTracks();
- else
+ } else
scheduleDelayedAction(ConfigureTextTracks);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
