Title: [127153] trunk
- Revision
- 127153
- Author
- [email protected]
- Date
- 2012-08-30 09:52:18 -0700 (Thu, 30 Aug 2012)
Log Message
Fix a crash in SourceBufferList.remove().
https://bugs.webkit.org/show_bug.cgi?id=94950
Patch by Aaron Colwell <[email protected]> on 2012-08-30
Reviewed by Eric Carlson.
Source/WebCore:
Move SourceBuffer::clear() call before the removal of the SourceBuffer from
SourceBufferList::m_list to avoid a use after free if m_list holds the last
reference.
Test: http/tests/media/media-source/video-media-source-sourcebufferlist-crash.html
* Modules/mediasource/SourceBufferList.cpp:
(WebCore::SourceBufferList::remove):
LayoutTests:
Added a layout test to verify that the application doesn't crash if a SourceBufferList is
holding the only references for its SourceBuffer objects when a MediaSource transitions to "closed".
* http/tests/media/media-source/video-media-source-sourcebufferlist-crash-expected.txt: Added.
* http/tests/media/media-source/video-media-source-sourcebufferlist-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (127152 => 127153)
--- trunk/LayoutTests/ChangeLog 2012-08-30 16:38:19 UTC (rev 127152)
+++ trunk/LayoutTests/ChangeLog 2012-08-30 16:52:18 UTC (rev 127153)
@@ -1,3 +1,16 @@
+2012-08-30 Aaron Colwell <[email protected]>
+
+ Fix a crash in SourceBufferList.remove().
+ https://bugs.webkit.org/show_bug.cgi?id=94950
+
+ Reviewed by Eric Carlson.
+
+ Added a layout test to verify that the application doesn't crash if a SourceBufferList is
+ holding the only references for its SourceBuffer objects when a MediaSource transitions to "closed".
+
+ * http/tests/media/media-source/video-media-source-sourcebufferlist-crash-expected.txt: Added.
+ * http/tests/media/media-source/video-media-source-sourcebufferlist-crash.html: Added.
+
2012-08-30 Thiago Marcos P. Santos <[email protected]>
[EFL] Remove redundant entries on the Skipped list
Added: trunk/LayoutTests/http/tests/media/media-source/video-media-source-sourcebufferlist-crash-expected.txt (0 => 127153)
--- trunk/LayoutTests/http/tests/media/media-source/video-media-source-sourcebufferlist-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/media/media-source/video-media-source-sourcebufferlist-crash-expected.txt 2012-08-30 16:52:18 UTC (rev 127153)
@@ -0,0 +1,7 @@
+Verify that we don't crash on close if the MediaSource.sourceBuffers holds the last reference to its SourceBuffer objects.
+
+Calling addSourceBuffer()
+Running garbage collector to cleanup the SourceBuffer reference returned by addSourceBuffer()
+onSourceClose
+END OF TEST
+
Added: trunk/LayoutTests/http/tests/media/media-source/video-media-source-sourcebufferlist-crash.html (0 => 127153)
--- trunk/LayoutTests/http/tests/media/media-source/video-media-source-sourcebufferlist-crash.html (rev 0)
+++ trunk/LayoutTests/http/tests/media/media-source/video-media-source-sourcebufferlist-crash.html 2012-08-30 16:52:18 UTC (rev 127153)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script src=""
+ <script type="text/_javascript_">
+ function onSourceOpen(e)
+ {
+ consoleWrite("Calling addSourceBuffer()");
+ e.target.addSourceBuffer('video/webm;codecs="vp8"');
+
+ if (window.GCController) {
+ consoleWrite("Running garbage collector to cleanup the SourceBuffer reference returned by addSourceBuffer()");
+ window.GCController.collect();
+ }
+
+ document.querySelector('#v').src = ""
+ }
+
+ function onSourceClose(e)
+ {
+ consoleWrite("onSourceClose");
+ endTest();
+ }
+
+ function main()
+ {
+ var video = document.querySelector('#v');
+ var mediaSource = new WebKitMediaSource();
+
+ mediaSource.addEventListener('webkitsourceopen', onSourceOpen);
+ mediaSource.addEventListener('webkitsourceclose', onSourceClose);
+
+ video.src = ""
+ }
+ </script>
+ </head>
+ <body _onload_="main()">
+ <video id="v"></video>
+ <p>Verify that we don't crash on close if the MediaSource.sourceBuffers holds the last reference to its SourceBuffer objects.</p>
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (127152 => 127153)
--- trunk/Source/WebCore/ChangeLog 2012-08-30 16:38:19 UTC (rev 127152)
+++ trunk/Source/WebCore/ChangeLog 2012-08-30 16:52:18 UTC (rev 127153)
@@ -1,3 +1,19 @@
+2012-08-30 Aaron Colwell <[email protected]>
+
+ Fix a crash in SourceBufferList.remove().
+ https://bugs.webkit.org/show_bug.cgi?id=94950
+
+ Reviewed by Eric Carlson.
+
+ Move SourceBuffer::clear() call before the removal of the SourceBuffer from
+ SourceBufferList::m_list to avoid a use after free if m_list holds the last
+ reference.
+
+ Test: http/tests/media/media-source/video-media-source-sourcebufferlist-crash.html
+
+ * Modules/mediasource/SourceBufferList.cpp:
+ (WebCore::SourceBufferList::remove):
+
2012-08-30 Otto Derek Cheung <[email protected]>
[BlackBerry] Modifying how IP domains are handled in Cookies
Modified: trunk/Source/WebCore/Modules/mediasource/SourceBufferList.cpp (127152 => 127153)
--- trunk/Source/WebCore/Modules/mediasource/SourceBufferList.cpp 2012-08-30 16:38:19 UTC (rev 127152)
+++ trunk/Source/WebCore/Modules/mediasource/SourceBufferList.cpp 2012-08-30 16:52:18 UTC (rev 127153)
@@ -70,8 +70,8 @@
if (index == notFound)
return false;
+ buffer->clear();
m_list.remove(index);
- buffer->clear();
createAndFireEvent(eventNames().webkitremovesourcebufferEvent);
return true;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
