Title: [133609] trunk
- Revision
- 133609
- Author
- [email protected]
- Date
- 2012-11-06 07:42:48 -0800 (Tue, 06 Nov 2012)
Log Message
Regression(r132681): Heap-use-after-free in WebCore::RenderTextTrackCue::layout
https://bugs.webkit.org/show_bug.cgi?id=100981
Patch by Aaron Colwell <[email protected]> on 2012-11-06
Reviewed by Eric Carlson.
Source/WebCore:
Fixing a TextTrackCue use after free bug. textTrackRemoveCues() needs to be called when
an HTMLTrackElement is removed from an HTMLMediaElement so that references to
TextTrackCues are removed from m_cueTree.
Test: media/track/track-remove-by-setting-innerHTML.html
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::willRemoveTrack):
LayoutTests:
Added a test that removes track elements by setting innerHTML on the track's parent.
* media/track/track-remove-by-setting-innerHTML-expected.txt: Added.
* media/track/track-remove-by-setting-innerHTML.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (133608 => 133609)
--- trunk/LayoutTests/ChangeLog 2012-11-06 15:34:13 UTC (rev 133608)
+++ trunk/LayoutTests/ChangeLog 2012-11-06 15:42:48 UTC (rev 133609)
@@ -1,3 +1,15 @@
+2012-11-06 Aaron Colwell <[email protected]>
+
+ Regression(r132681): Heap-use-after-free in WebCore::RenderTextTrackCue::layout
+ https://bugs.webkit.org/show_bug.cgi?id=100981
+
+ Reviewed by Eric Carlson.
+
+ Added a test that removes track elements by setting innerHTML on the track's parent.
+
+ * media/track/track-remove-by-setting-innerHTML-expected.txt: Added.
+ * media/track/track-remove-by-setting-innerHTML.html: Added.
+
2012-11-06 Max Feil <[email protected]>
[BlackBerry] Automatically go fullscreen on video play
Added: trunk/LayoutTests/media/track/track-remove-by-setting-innerHTML-expected.txt (0 => 133609)
--- trunk/LayoutTests/media/track/track-remove-by-setting-innerHTML-expected.txt (rev 0)
+++ trunk/LayoutTests/media/track/track-remove-by-setting-innerHTML-expected.txt 2012-11-06 15:42:48 UTC (rev 133609)
@@ -0,0 +1,9 @@
+This test makes sure that removing a track by setting video.innerHTML doesn't crash (https://bugs.webkit.org/show_bug.cgi?id=100981).
+If this test does not crash, it passes.
+
+EVENT(canplaythrough)
+EVENT(seeked)
+RUN(video.currentTime = 7.9)
+EVENT(seeked)
+END OF TEST
+
Added: trunk/LayoutTests/media/track/track-remove-by-setting-innerHTML.html (0 => 133609)
--- trunk/LayoutTests/media/track/track-remove-by-setting-innerHTML.html (rev 0)
+++ trunk/LayoutTests/media/track/track-remove-by-setting-innerHTML.html 2012-11-06 15:42:48 UTC (rev 133609)
@@ -0,0 +1,46 @@
+<!doctype html>
+<html>
+ <head>
+ <script src=""
+ <script src=""
+ <script type="text/_javascript_">
+ var firstSeek = true;
+
+ function seeked()
+ {
+ if (!firstSeek) {
+ endTest();
+ return;
+ }
+
+ // Remove the text tra
+ video.innerHTML = "This is a test";
+
+ // Seek again to force a repaint.
+ run("video.currentTime = 7.9");
+ firstSeek = false;
+ }
+
+ function loaded()
+ {
+ findMediaElement();
+ waitForEvent('error');
+ waitForEvent('seeked', seeked);
+ waitForEvent('canplaythrough', function()
+ {
+ video.currentTime = 0.5;
+ });
+ video.src = "" '../content/counting');
+ }
+ </script>
+ </head>
+ <body _onload_=loaded()>
+ <video>
+ <track default="" src=""
+ </video>
+ <div>
+ This test makes sure that removing a track by setting video.innerHTML doesn't crash (https://bugs.webkit.org/show_bug.cgi?id=100981).
+ <p>If this test does not crash, it passes.</p>
+ </div>
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (133608 => 133609)
--- trunk/Source/WebCore/ChangeLog 2012-11-06 15:34:13 UTC (rev 133608)
+++ trunk/Source/WebCore/ChangeLog 2012-11-06 15:42:48 UTC (rev 133609)
@@ -1,3 +1,19 @@
+2012-11-06 Aaron Colwell <[email protected]>
+
+ Regression(r132681): Heap-use-after-free in WebCore::RenderTextTrackCue::layout
+ https://bugs.webkit.org/show_bug.cgi?id=100981
+
+ Reviewed by Eric Carlson.
+
+ Fixing a TextTrackCue use after free bug. textTrackRemoveCues() needs to be called when
+ an HTMLTrackElement is removed from an HTMLMediaElement so that references to
+ TextTrackCues are removed from m_cueTree.
+
+ Test: media/track/track-remove-by-setting-innerHTML.html
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::willRemoveTrack):
+
2012-10-23 Stephen White <[email protected]>
[skia] Implement reference (url) filters on composited layers.
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (133608 => 133609)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2012-11-06 15:34:13 UTC (rev 133608)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2012-11-06 15:42:48 UTC (rev 133609)
@@ -2831,6 +2831,14 @@
// then the user agent must remove the track element's corresponding text track from the
// media element's list of text tracks.
m_textTracks->remove(textTrack.get());
+ if (textTrack->cues()) {
+ TextTrackCueList* cues = textTrack->cues();
+ beginIgnoringTrackDisplayUpdateRequests();
+ for (size_t i = 0; i < cues->length(); ++i)
+ textTrackRemoveCue(cues->item(i)->track(), cues->item(i));
+ endIgnoringTrackDisplayUpdateRequests();
+ }
+
size_t index = m_textTracksWhenResourceSelectionBegan.find(textTrack.get());
if (index != notFound)
m_textTracksWhenResourceSelectionBegan.remove(index);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
