Title: [238983] releases/WebKitGTK/webkit-2.22/Source/WebCore
- Revision
- 238983
- Author
- [email protected]
- Date
- 2018-12-07 16:25:29 -0800 (Fri, 07 Dec 2018)
Log Message
Merge r238788 - Lifetime of HTMLMediaElement is not properly handled in asynchronous actions
https://bugs.webkit.org/show_bug.cgi?id=192087
<rdar://problem/45975230>
Reviewed by Dean Jackson.
The HTMLMediaElement performs operations that allow arbitrary _javascript_ to run. We need to make
sure the active media element is protected until those calls complete.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::didFinishInsertingNode):
(WebCore::HTMLMediaElement::exitFullscreen):
(WebCore::HTMLMediaElement::markCaptionAndSubtitleTracksAsUnconfigured):
(WebCore::HTMLMediaElement::scheduleConfigureTextTracks):
(WebCore::HTMLMediaElement::scheduleMediaEngineWasUpdated):
(WebCore::HTMLMediaElement::scheduleUpdatePlayState):
(WebCore::HTMLMediaElement::scheduleUpdateMediaState):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog (238982 => 238983)
--- releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog 2018-12-08 00:25:25 UTC (rev 238982)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog 2018-12-08 00:25:29 UTC (rev 238983)
@@ -1,3 +1,23 @@
+2018-12-01 Brent Fulgham <[email protected]>
+
+ Lifetime of HTMLMediaElement is not properly handled in asynchronous actions
+ https://bugs.webkit.org/show_bug.cgi?id=192087
+ <rdar://problem/45975230>
+
+ Reviewed by Dean Jackson.
+
+ The HTMLMediaElement performs operations that allow arbitrary _javascript_ to run. We need to make
+ sure the active media element is protected until those calls complete.
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::didFinishInsertingNode):
+ (WebCore::HTMLMediaElement::exitFullscreen):
+ (WebCore::HTMLMediaElement::markCaptionAndSubtitleTracksAsUnconfigured):
+ (WebCore::HTMLMediaElement::scheduleConfigureTextTracks):
+ (WebCore::HTMLMediaElement::scheduleMediaEngineWasUpdated):
+ (WebCore::HTMLMediaElement::scheduleUpdatePlayState):
+ (WebCore::HTMLMediaElement::scheduleUpdateMediaState):
+
2018-11-16 Jiewen Tan <[email protected]>
Disallow loading webarchives as iframes
Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/html/HTMLMediaElement.cpp (238982 => 238983)
--- releases/WebKitGTK/webkit-2.22/Source/WebCore/html/HTMLMediaElement.cpp 2018-12-08 00:25:25 UTC (rev 238982)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/html/HTMLMediaElement.cpp 2018-12-08 00:25:29 UTC (rev 238983)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -954,6 +954,8 @@
void HTMLMediaElement::didFinishInsertingNode()
{
+ Ref<HTMLMediaElement> protectedThis(*this); // prepareForLoad may result in a 'beforeload' event, which can make arbitrary DOM mutations.
+
if (m_inActiveDocument && m_networkState == NETWORK_EMPTY && !attributeWithoutSynchronization(srcAttr).isEmpty())
prepareForLoad();
@@ -5968,6 +5970,7 @@
VideoFullscreenMode oldVideoFullscreenMode = m_videoFullscreenMode;
fullscreenModeChanged(VideoFullscreenModeNone);
#if ENABLE(MEDIA_CONTROLS_SCRIPT)
+ Ref<HTMLMediaElement> protectedThis(*this); // updateMediaControlsAfterPresentationModeChange calls methods that can trigger arbitrary DOM mutations.
updateMediaControlsAfterPresentationModeChange();
#endif
if (hasMediaControls())
@@ -6523,9 +6526,10 @@
m_processingPreferenceChange = true;
clearFlags(m_pendingActionFlags, ConfigureTextTracks);
- if (mode == Immediately)
+ if (mode == Immediately) {
+ Ref<HTMLMediaElement> protectedThis(*this); // configureTextTracks calls methods that can trigger arbitrary DOM mutations.
configureTextTracks();
- else
+ } else
scheduleDelayedAction(ConfigureTextTracks);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
