Skip to site navigation (Press enter)

[webkit-changes] [239458] trunk/Source/WebCore

jer . noble Thu, 20 Dec 2018 11:50:02 -0800

Title: [239458] trunk/Source/WebCore

Revision: 239458
Author: [email protected]
Date: 2018-12-20 11:48:35 -0800 (Thu, 20 Dec 2018)

Log Message

REGRESSION (r239419): heap-use-after-free in AudioSourceProviderAVFObjC::finalizeCallback()
https://bugs.webkit.org/show_bug.cgi?id=192941
<rdar://problem/46874096>


Reviewed by Brent Fulgham.

Don't delete the locked lock before unlocking the lock.

* platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm:
(WebCore::AudioSourceProviderAVFObjC::finalizeCallback):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm

Diff

Modified: trunk/Source/WebCore/ChangeLog (239457 => 239458)


--- trunk/Source/WebCore/ChangeLog	2018-12-20 19:23:20 UTC (rev 239457)
+++ trunk/Source/WebCore/ChangeLog	2018-12-20 19:48:35 UTC (rev 239458)
@@ -1,3 +1,16 @@
+2018-12-20  Jer Noble  <[email protected]>
+
+        REGRESSION (r239419): heap-use-after-free in AudioSourceProviderAVFObjC::finalizeCallback()
+        https://bugs.webkit.org/show_bug.cgi?id=192941
+        <rdar://problem/46874096>
+
+        Reviewed by Brent Fulgham.
+
+        Don't delete the locked lock before unlocking the lock. 
+
+        * platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm:
+        (WebCore::AudioSourceProviderAVFObjC::finalizeCallback):
+
 2018-12-20  Keith Rollin  <[email protected]>
 
         Improve release-level page-load logging

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm (239457 => 239458)


--- trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm	2018-12-20 19:23:20 UTC (rev 239457)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm	2018-12-20 19:48:35 UTC (rev 239458)
@@ -248,10 +248,11 @@
     ASSERT(tap);
     TapStorage* tapStorage = static_cast<TapStorage*>(MTAudioProcessingTapGetStorage(tap));
 
-    std::lock_guard<Lock> lock(tapStorage->mutex);
-
-    if (tapStorage->_this)
-        tapStorage->_this->finalize();
+    {
+        std::lock_guard<Lock> lock(tapStorage->mutex);
+        if (tapStorage->_this)
+            tapStorage->_this->finalize();
+    }
     delete tapStorage;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes