[webkit-changes] [262506] trunk/Source/WebCore

Wed, 03 Jun 2020 12:26:26 -0700

Title: [262506] trunk/Source/WebCore
Revision
262506
Author
[email protected]
Date
2020-06-03 12:25:43 -0700 (Wed, 03 Jun 2020)

Log Message

Crash with uncaught exception: *** -[AVSampleBufferAudioRenderer enqueueSampleBuffer:] Sample buffer has media type 'vide' instead of 'soun'
https://bugs.webkit.org/show_bug.cgi?id=212646
<rdar://problem/63040834>

Reviewed by Eric Carlson.

Protect against the possibility of AVStreamDataParser generating non-video or -audio samples in an otherwise
video- or audio-track. Check the format description attached to the sample before appending, and ASSERT in
debug builds and ERROR_LOG in release builds, as this is an exceptional condition.

* platform/graphics/FourCC.h:
(WTF::LogArgument<WebCore::FourCC>::toString):
* platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm:
(WebCore::SourceBufferPrivateAVFObjC::enqueueSample):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (262505 => 262506)


--- trunk/Source/WebCore/ChangeLog	2020-06-03 19:13:26 UTC (rev 262505)
+++ trunk/Source/WebCore/ChangeLog	2020-06-03 19:25:43 UTC (rev 262506)
@@ -1,3 +1,20 @@
+2020-06-03  Jer Noble  <[email protected]>
+
+        Crash with uncaught exception: *** -[AVSampleBufferAudioRenderer enqueueSampleBuffer:] Sample buffer has media type 'vide' instead of 'soun'
+        https://bugs.webkit.org/show_bug.cgi?id=212646
+        <rdar://problem/63040834>
+
+        Reviewed by Eric Carlson.
+
+        Protect against the possibility of AVStreamDataParser generating non-video or -audio samples in an otherwise
+        video- or audio-track. Check the format description attached to the sample before appending, and ASSERT in
+        debug builds and ERROR_LOG in release builds, as this is an exceptional condition.
+
+        * platform/graphics/FourCC.h:
+        (WTF::LogArgument<WebCore::FourCC>::toString):
+        * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm:
+        (WebCore::SourceBufferPrivateAVFObjC::enqueueSample):
+
 2020-06-03  Kate Cheney  <[email protected]>
 
         Any active sqlite transactions for the ITP database should be aborted when the network process suspends.

Modified: trunk/Source/WebCore/platform/graphics/FourCC.h (262505 => 262506)


--- trunk/Source/WebCore/platform/graphics/FourCC.h	2020-06-03 19:13:26 UTC (rev 262505)
+++ trunk/Source/WebCore/platform/graphics/FourCC.h	2020-06-03 19:25:43 UTC (rev 262506)
@@ -49,4 +49,14 @@
     uint32_t value { 0 };
 };
 
-}
+} // namespace WebCore
+
+namespace WTF {
+
+template<typename> struct LogArgument;
+
+template<> struct LogArgument<WebCore::FourCC> {
+    static String toString(const WebCore::FourCC& code) { return code.toString(); }
+};
+
+} // namespace WTF

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm (262505 => 262506)


--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm	2020-06-03 19:13:26 UTC (rev 262505)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm	2020-06-03 19:25:43 UTC (rev 262506)
@@ -34,6 +34,7 @@
 #import "CDMInstanceFairPlayStreamingAVFObjC.h"
 #import "CDMSessionAVContentKeySession.h"
 #import "CDMSessionMediaSourceAVFObjC.h"
+#import "FourCC.h"
 #import "InbandTextTrackPrivateAVFObjC.h"
 #import "Logging.h"
 #import "MediaDescription.h"
@@ -1127,8 +1128,24 @@
     auto logSiteIdentifier = LOGIDENTIFIER;
     DEBUG_LOG(logSiteIdentifier, "track ID = ", trackID, ", sample = ", sample.get());
 
+    CMFormatDescriptionRef formatDescription = CMSampleBufferGetFormatDescription(platformSample.sample.cmSampleBuffer);
+    ASSERT(formatDescription);
+    if (!formatDescription) {
+        ERROR_LOG(logSiteIdentifier, "Received sample with a null formatDescription. Bailing.");
+        return;
+    }
+    auto mediaType = CMFormatDescriptionGetMediaType(formatDescription);
+
     if (trackID == m_enabledVideoTrackID) {
-        CMFormatDescriptionRef formatDescription = CMSampleBufferGetFormatDescription(platformSample.sample.cmSampleBuffer);
+        // AVSampleBufferDisplayLayer will throw an un-documented exception if passed a sample
+        // whose media type is not kCMMediaType_Video. This condition is exceptional; we should
+        // never enqueue a non-video sample in a AVSampleBufferDisplayLayer.
+        ASSERT(mediaType == kCMMediaType_Video);
+        if (mediaType != kCMMediaType_Video) {
+            ERROR_LOG(logSiteIdentifier, "Expected sample of type '", FourCC(kCMMediaType_Video), "', got '", FourCC(mediaType), "'. Bailing.");
+            return;
+        }
+
         FloatSize formatSize = FloatSize(CMVideoFormatDescriptionGetPresentationDimensions(formatDescription, true, true));
         if (!m_cachedSize || formatSize != m_cachedSize.value()) {
             DEBUG_LOG(logSiteIdentifier, "size changed to ", formatSize);
@@ -1186,6 +1203,15 @@
             [m_displayLayer enqueueSampleBuffer:platformSample.sample.cmSampleBuffer];
 
     } else {
+        // AVSampleBufferAudioRenderer will throw an un-documented exception if passed a sample
+        // whose media type is not kCMMediaType_Audio. This condition is exceptional; we should
+        // never enqueue a non-video sample in a AVSampleBufferAudioRenderer.
+        ASSERT(mediaType == kCMMediaType_Audio);
+        if (mediaType != kCMMediaType_Audio) {
+            ERROR_LOG(logSiteIdentifier, "Expected sample of type '", FourCC(kCMMediaType_Audio), "', got '", FourCC(mediaType), "'. Bailing.");
+            return;
+        }
+
         auto renderer = m_audioRenderers.get(trackID);
         [renderer enqueueSampleBuffer:platformSample.sample.cmSampleBuffer];
         if (m_mediaSource && !sample->isNonDisplaying())

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to