Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a14d1c0731137bfcf330d8706fadd983b9834b17
      
https://github.com/WebKit/WebKit/commit/a14d1c0731137bfcf330d8706fadd983b9834b17
  Author: Youenn Fablet <[email protected]>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    A LayoutTests/webrtc/transceiver-setCodecPreferences-closed-expected.txt
    A LayoutTests/webrtc/transceiver-setCodecPreferences-closed.html
    M Source/WebCore/Modules/mediastream/RTCRtpTransceiver.cpp

  Log Message:
  -----------
  Safari & Chrome for iOS: Use-after-free in WebKit libwebrtc `RtpTransceiver` 
codec state reachable via `RTCRtpTransceiver.setCodecPreferences` after 
garbage-collected `RTCPeerConnection`
rdar://175625015

Reviewed by Jean-Yves Avenard.

While we should fix the RtpTransceiver/PeerConnection relationship in 
libwebrtc, we instead do a short term fix in WebCore layer by making 
RTCRtpTransceiver.setCodecPreferences a no-op when peer connection is destroyed 
or closed.

Test: webrtc/transceiver-setCodecPreferences-closed.html

* LayoutTests/webrtc/transceiver-setCodecPreferences-closed-expected.txt: Added.
* LayoutTests/webrtc/transceiver-setCodecPreferences-closed.html: Added.
* Source/WebCore/Modules/mediastream/RTCRtpTransceiver.cpp:
(WebCore::RTCRtpTransceiver::setCodecPreferences):

Originally-landed-as: 305413.781@safari-7624-branch (456c1826db44). 
rdar://181076635
Canonical link: https://commits.webkit.org/316356@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to