[webkit-changes] [146563] trunk/Source/WebCore

Thu, 21 Mar 2013 22:48:34 -0700

Title: [146563] trunk/Source/WebCore
Revision
146563
Author
[email protected]
Date
2013-03-21 22:50:28 -0700 (Thu, 21 Mar 2013)

Log Message

Crash in WebCore::MediaPlayer::cachedResourceLoader + 4
https://bugs.webkit.org/show_bug.cgi?id=112977

Reviewed by Geoffrey Garen.

Speculative fix for a NULL-dereference crash. MediaPlayerPrivateAVFoundationObjC is the
sole owner of a WebCoreAVFLoaderDelegate instance. It releases this instance in its destructor,
but it is possible that, on another thread, the AVAssetResourceLoader has already begun
using the delegate and in so doing has retained it. By the time the delegate method is fired
on the main thread, the MediaPlayerPrivateAVFoundationObjC owner of the delegate has already
been deleted, and the delegate's m_callback pointer is now pointing at freed memory.

In addition to calling -[AVAssetResourceLoader setDelegate:queue:] to avoid any not-yet-started
delegate callbacks, MediaPlayerPrivateAVFoundationObjC should clear the WebCoreAVFLoaderDelegate
m_callback ivar, to avoid calling into freed memory for already queued delegate callbacks.

* platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
(WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC): Clear the m_loaderDelegate's callback pointer.
(-[WebCoreAVFLoaderDelegate resourceLoader:shouldWaitForLoadingOfRequestedResource:]): Check the value of m_callback before continuing.
(-[WebCoreAVFLoaderDelegate resourceLoader:didCancelLoadingRequest:]): Ditto.
(-[WebCoreAVFLoaderDelegate setCallback:]): Added simple setter.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (146562 => 146563)


--- trunk/Source/WebCore/ChangeLog	2013-03-22 05:22:14 UTC (rev 146562)
+++ trunk/Source/WebCore/ChangeLog	2013-03-22 05:50:28 UTC (rev 146563)
@@ -1,3 +1,27 @@
+2013-03-21  Jer Noble  <[email protected]>
+
+        Crash in WebCore::MediaPlayer::cachedResourceLoader + 4
+        https://bugs.webkit.org/show_bug.cgi?id=112977
+
+        Reviewed by Geoffrey Garen.
+
+        Speculative fix for a NULL-dereference crash. MediaPlayerPrivateAVFoundationObjC is the
+        sole owner of a WebCoreAVFLoaderDelegate instance. It releases this instance in its destructor,
+        but it is possible that, on another thread, the AVAssetResourceLoader has already begun
+        using the delegate and in so doing has retained it. By the time the delegate method is fired
+        on the main thread, the MediaPlayerPrivateAVFoundationObjC owner of the delegate has already
+        been deleted, and the delegate's m_callback pointer is now pointing at freed memory.
+
+        In addition to calling -[AVAssetResourceLoader setDelegate:queue:] to avoid any not-yet-started
+        delegate callbacks, MediaPlayerPrivateAVFoundationObjC should clear the WebCoreAVFLoaderDelegate
+        m_callback ivar, to avoid calling into freed memory for already queued delegate callbacks.
+
+        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
+        (WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC): Clear the m_loaderDelegate's callback pointer.
+        (-[WebCoreAVFLoaderDelegate resourceLoader:shouldWaitForLoadingOfRequestedResource:]): Check the value of m_callback before continuing.
+        (-[WebCoreAVFLoaderDelegate resourceLoader:didCancelLoadingRequest:]): Ditto.
+        (-[WebCoreAVFLoaderDelegate setCallback:]): Added simple setter.
+
 2013-03-21  Takashi Sakamoto  <[email protected]>
 
         XMLDocumentParser doesn't parse <template> correctly.

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm (146562 => 146563)


--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm	2013-03-22 05:22:14 UTC (rev 146562)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm	2013-03-22 05:50:28 UTC (rev 146563)
@@ -171,6 +171,7 @@
 }
 - (id)initWithCallback:(MediaPlayerPrivateAVFoundationObjC*)callback;
 - (BOOL)resourceLoader:(AVAssetResourceLoader *)resourceLoader shouldWaitForLoadingOfRequestedResource:(AVAssetResourceLoadingRequest *)loadingRequest;
+- (void)setCallback:(MediaPlayerPrivateAVFoundationObjC*)callback;
 @end
 #endif
 
@@ -234,6 +235,7 @@
     playerToPrivateMap().remove(player());
 #endif
 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090
+    [m_loaderDelegate.get() setCallback:0];
     [[m_avAsset.get() resourceLoader] setDelegate:nil queue:0];
 #endif
     cancelLoad();
@@ -1531,14 +1533,25 @@
 - (BOOL)resourceLoader:(AVAssetResourceLoader *)resourceLoader shouldWaitForLoadingOfRequestedResource:(AVAssetResourceLoadingRequest *)loadingRequest
 {
     UNUSED_PARAM(resourceLoader);
+    if (!m_callback)
+        return NO;
+
     return m_callback->shouldWaitForLoadingOfResource(loadingRequest);
 }
 
 - (void)resourceLoader:(AVAssetResourceLoader *)resourceLoader didCancelLoadingRequest:(AVAssetResourceLoadingRequest *)loadingRequest
 {
     UNUSED_PARAM(resourceLoader);
+    if (!m_callback)
+        return;
+
     return m_callback->didCancelLoadingRequest(loadingRequest);
 }
+
+- (void)setCallback:(MediaPlayerPrivateAVFoundationObjC*)callback
+{
+    m_callback = callback;
+}
 @end
 #endif
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to