Title: [288910] branches/safari-613-branch/Source/WebCore
- Revision
- 288910
- Author
- [email protected]
- Date
- 2022-02-01 13:30:51 -0800 (Tue, 01 Feb 2022)
Log Message
Cherry-pick r288897. rdar://problem/87651247
[Cocoa] "index 0 out of bounds" exception in AVTrackPrivateAVFObjCImpl::videoTrackConfiguration()
https://bugs.webkit.org/show_bug.cgi?id=235918
<rdar://87651247>
Reviewed by Eric Carlson.
Crash data shows a rare exception thrown from inside a static method formatDescriptionFor()
in AVTrackPrivateAVFObjCImpl. The method first queries whether the .formatDescriptions
NSArray property is queryable, then for its count, then retrieves the first object in the
array. It's possible that the array is mutated on a background thread between the count
check and when the first object is retrieved.
To eliminate the possibility that the property is mutated between queries, pull the value
into a RetainPtr and run the query on that retained object. Use -[NSArray firstObject]
rather than -objectAtIndex:0, as the former will return nil if the -count is 0, while the
latter will throw an exception. To guard against the possibility that the
CMFormatDescriptionRef will go out of scope after the return, return the format description
itself wrapped in a RetainPtr as well.
* platform/graphics/avfoundation/AVTrackPrivateAVFObjCImpl.mm:
(WebCore::formatDescriptionFor):
(WebCore::AVTrackPrivateAVFObjCImpl::codec const):
(WebCore::AVTrackPrivateAVFObjCImpl::colorSpace const):
(WebCore::AVTrackPrivateAVFObjCImpl::sampleRate const):
(WebCore::AVTrackPrivateAVFObjCImpl::numberOfChannels const):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@288897 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-613-branch/Source/WebCore/ChangeLog (288909 => 288910)
--- branches/safari-613-branch/Source/WebCore/ChangeLog 2022-02-01 21:30:48 UTC (rev 288909)
+++ branches/safari-613-branch/Source/WebCore/ChangeLog 2022-02-01 21:30:51 UTC (rev 288910)
@@ -1,3 +1,64 @@
+2022-02-01 Russell Epstein <[email protected]>
+
+ Cherry-pick r288897. rdar://problem/87651247
+
+ [Cocoa] "index 0 out of bounds" exception in AVTrackPrivateAVFObjCImpl::videoTrackConfiguration()
+ https://bugs.webkit.org/show_bug.cgi?id=235918
+ <rdar://87651247>
+
+ Reviewed by Eric Carlson.
+
+ Crash data shows a rare exception thrown from inside a static method formatDescriptionFor()
+ in AVTrackPrivateAVFObjCImpl. The method first queries whether the .formatDescriptions
+ NSArray property is queryable, then for its count, then retrieves the first object in the
+ array. It's possible that the array is mutated on a background thread between the count
+ check and when the first object is retrieved.
+
+ To eliminate the possibility that the property is mutated between queries, pull the value
+ into a RetainPtr and run the query on that retained object. Use -[NSArray firstObject]
+ rather than -objectAtIndex:0, as the former will return nil if the -count is 0, while the
+ latter will throw an exception. To guard against the possibility that the
+ CMFormatDescriptionRef will go out of scope after the return, return the format description
+ itself wrapped in a RetainPtr as well.
+
+ * platform/graphics/avfoundation/AVTrackPrivateAVFObjCImpl.mm:
+ (WebCore::formatDescriptionFor):
+ (WebCore::AVTrackPrivateAVFObjCImpl::codec const):
+ (WebCore::AVTrackPrivateAVFObjCImpl::colorSpace const):
+ (WebCore::AVTrackPrivateAVFObjCImpl::sampleRate const):
+ (WebCore::AVTrackPrivateAVFObjCImpl::numberOfChannels const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@288897 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-02-01 Jer Noble <[email protected]>
+
+ [Cocoa] "index 0 out of bounds" exception in AVTrackPrivateAVFObjCImpl::videoTrackConfiguration()
+ https://bugs.webkit.org/show_bug.cgi?id=235918
+ <rdar://87651247>
+
+ Reviewed by Eric Carlson.
+
+ Crash data shows a rare exception thrown from inside a static method formatDescriptionFor()
+ in AVTrackPrivateAVFObjCImpl. The method first queries whether the .formatDescriptions
+ NSArray property is queryable, then for its count, then retrieves the first object in the
+ array. It's possible that the array is mutated on a background thread between the count
+ check and when the first object is retrieved.
+
+ To eliminate the possibility that the property is mutated between queries, pull the value
+ into a RetainPtr and run the query on that retained object. Use -[NSArray firstObject]
+ rather than -objectAtIndex:0, as the former will return nil if the -count is 0, while the
+ latter will throw an exception. To guard against the possibility that the
+ CMFormatDescriptionRef will go out of scope after the return, return the format description
+ itself wrapped in a RetainPtr as well.
+
+ * platform/graphics/avfoundation/AVTrackPrivateAVFObjCImpl.mm:
+ (WebCore::formatDescriptionFor):
+ (WebCore::AVTrackPrivateAVFObjCImpl::codec const):
+ (WebCore::AVTrackPrivateAVFObjCImpl::colorSpace const):
+ (WebCore::AVTrackPrivateAVFObjCImpl::sampleRate const):
+ (WebCore::AVTrackPrivateAVFObjCImpl::numberOfChannels const):
+
2022-01-31 Russell Epstein <[email protected]>
Cherry-pick r288829. rdar://problem/87402815
Modified: branches/safari-613-branch/Source/WebCore/platform/graphics/avfoundation/AVTrackPrivateAVFObjCImpl.mm (288909 => 288910)
--- branches/safari-613-branch/Source/WebCore/platform/graphics/avfoundation/AVTrackPrivateAVFObjCImpl.mm 2022-02-01 21:30:48 UTC (rev 288909)
+++ branches/safari-613-branch/Source/WebCore/platform/graphics/avfoundation/AVTrackPrivateAVFObjCImpl.mm 2022-02-01 21:30:51 UTC (rev 288910)
@@ -303,17 +303,18 @@
return nil;
}
-static CMFormatDescriptionRef formatDescriptionFor(const AVTrackPrivateAVFObjCImpl& impl)
+static RetainPtr<CMFormatDescriptionRef> formatDescriptionFor(const AVTrackPrivateAVFObjCImpl& impl)
{
auto assetTrack = assetTrackFor(impl);
- if (!assetTrack || [assetTrack statusOfValueForKey:@"formatDescriptions" error:nil] != AVKeyValueStatusLoaded || !assetTrack.formatDescriptions.count)
+ if (!assetTrack || [assetTrack statusOfValueForKey:@"formatDescriptions" error:nil] != AVKeyValueStatusLoaded)
return nullptr;
- return static_cast<CMFormatDescriptionRef>(assetTrack.formatDescriptions[0]);
+
+ return static_cast<CMFormatDescriptionRef>(assetTrack.formatDescriptions.firstObject);
}
String AVTrackPrivateAVFObjCImpl::codec() const
{
- return codecFromFormatDescription(formatDescriptionFor(*this));
+ return codecFromFormatDescription(formatDescriptionFor(*this).get());
}
uint32_t AVTrackPrivateAVFObjCImpl::width() const
@@ -334,7 +335,7 @@
PlatformVideoColorSpace AVTrackPrivateAVFObjCImpl::colorSpace() const
{
- if (auto colorSpace = colorSpaceFromFormatDescription(formatDescriptionFor(*this)))
+ if (auto colorSpace = colorSpaceFromFormatDescription(formatDescriptionFor(*this).get()))
return *colorSpace;
return { };
}
@@ -355,7 +356,7 @@
if (!formatDescription)
return 0;
- const AudioStreamBasicDescription* const asbd = PAL::CMAudioFormatDescriptionGetStreamBasicDescription(formatDescription);
+ const AudioStreamBasicDescription* const asbd = PAL::CMAudioFormatDescriptionGetStreamBasicDescription(formatDescription.get());
if (!asbd)
return 0;
@@ -368,7 +369,7 @@
if (!formatDescription)
return 0;
- const AudioStreamBasicDescription* const asbd = PAL::CMAudioFormatDescriptionGetStreamBasicDescription(formatDescription);
+ const AudioStreamBasicDescription* const asbd = PAL::CMAudioFormatDescriptionGetStreamBasicDescription(formatDescription.get());
if (!asbd)
return 0;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
