[webkit-changes] [167264] trunk/Source/WebCore

[jer . noble]

Title: [167264] trunk/Source/WebCore

Revision

167264

Author

jer.no...@apple.com

Date

2014-04-14 13:37:52 -0700 (Mon, 14 Apr 2014)

Log Message

Use after free in WebCore::CachedResourceHandleBase::~CachedResourceHandleBase / WebCore::removeDetachedChildrenInContainer
https://bugs.webkit.org/show_bug.cgi?id=131169

Reviewed by Eric Carlson.

Invalidate the WebCoreAVFResourceLoader owned by MediaPlayerPrivateAVFoundationObjC
in its destructor, to prevent a private function being called in response to the
WebCoreAVFResourceLoader being stopped.

* platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
(WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC):
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h:
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::invalidate):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm
• trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h
• trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm

Diff

Modified: trunk/Source/WebCore/ChangeLog (167263 => 167264)

--- trunk/Source/WebCore/ChangeLog	2014-04-14 20:31:45 UTC (rev 167263)
+++ trunk/Source/WebCore/ChangeLog	2014-04-14 20:37:52 UTC (rev 167264)
@@ -1,3 +1,20 @@
+2014-04-14  Jer Noble  <jer.no...@apple.com>
+
+        Use after free in WebCore::CachedResourceHandleBase::~CachedResourceHandleBase / WebCore::removeDetachedChildrenInContainer
+        https://bugs.webkit.org/show_bug.cgi?id=131169
+
+        Reviewed by Eric Carlson.
+
+        Invalidate the WebCoreAVFResourceLoader owned by MediaPlayerPrivateAVFoundationObjC
+        in its destructor, to prevent a private function being called in response to the
+        WebCoreAVFResourceLoader being stopped.
+
+        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
+        (WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC):
+        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h:
+        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+        (WebCore::WebCoreAVFResourceLoader::invalidate):
+
 2014-04-14  Simon Fraser  <simon.fra...@apple.com>
 
         [WK2 iOS] Scrolling to anchor links is broken

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm (167263 => 167264)

--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm	2014-04-14 20:31:45 UTC (rev 167263)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm	2014-04-14 20:37:52 UTC (rev 167264)
@@ -369,6 +369,9 @@
 #if HAVE(AVFOUNDATION_LOADER_DELEGATE)
     [m_loaderDelegate.get() setCallback:0];
     [[m_avAsset.get() resourceLoader] setDelegate:nil queue:0];
+
+    for (auto& pair : m_resourceLoaderMap)
+        pair.value->invalidate();
 #endif
 #if HAVE(AVFOUNDATION_VIDEO_OUTPUT)
     [m_videoOutputDelegate setCallback:0];

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h (167263 => 167264)

--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h	2014-04-14 20:31:45 UTC (rev 167263)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h	2014-04-14 20:37:52 UTC (rev 167264)
@@ -51,6 +51,7 @@
 
     void startLoading();
     void stopLoading();
+    void invalidate();
 
     CachedRawResource* resource();
 

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm (167263 => 167264)

--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm	2014-04-14 20:31:45 UTC (rev 167263)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm	2014-04-14 20:37:52 UTC (rev 167264)
@@ -63,7 +63,7 @@
 
 void WebCoreAVFResourceLoader::startLoading()
 {
-    if (m_resource)
+    if (m_resource || !m_parent)
         return;
 
     URL requestURL = [[m_avRequest.get() request] URL];
@@ -89,9 +89,16 @@
     m_resource->removeClient(this);
     m_resource = 0;
 
-    m_parent->didStopLoadingRequest(m_avRequest.get());
+    if (m_parent)
+        m_parent->didStopLoadingRequest(m_avRequest.get());
 }
 
+void WebCoreAVFResourceLoader::invalidate()
+{
+    m_parent = nullptr;
+    stopLoading();
+}
+
 void WebCoreAVFResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)
 {
     ASSERT(resource == m_resource);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes