Modified: trunk/Source/WebCore/ChangeLog (198548 => 198549)
--- trunk/Source/WebCore/ChangeLog 2016-03-22 20:29:40 UTC (rev 198548)
+++ trunk/Source/WebCore/ChangeLog 2016-03-22 20:56:38 UTC (rev 198549)
@@ -1,3 +1,22 @@
+2016-03-18 Jer Noble <[email protected]>
+
+ CRASH in WebCore::MediaResourceLoader::requestResource + 698
+ https://bugs.webkit.org/show_bug.cgi?id=155651
+ <rdar://problem/25130582>
+
+ Reviewed by Eric Carlson.
+
+ No new tests, fixes existing tests running under GuardMalloc.
+
+ Protect against the Document passed into MediaResourceLoader being destroyed during the MediaResourceLoader's lifetime.
+
+ * loader/MediaResourceLoader.cpp:
+ (WebCore::MediaResourceLoader::MediaResourceLoader):
+ (WebCore::MediaResourceLoader::contextDestroyed):
+ (WebCore::MediaResourceLoader::requestResource):
+ (WebCore::MediaResource::responseReceived):
+ * loader/MediaResourceLoader.h:
+
2016-03-22 Beth Dakin <[email protected]>
Advanced spell checking should be guarded behind
Modified: trunk/Source/WebCore/loader/MediaResourceLoader.cpp (198548 => 198549)
--- trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2016-03-22 20:29:40 UTC (rev 198548)
+++ trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2016-03-22 20:56:38 UTC (rev 198549)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2014 Igalia S.L
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -39,7 +40,8 @@
namespace WebCore {
MediaResourceLoader::MediaResourceLoader(Document& document, const String& crossOriginMode)
- : m_document(document)
+ : ContextDestructionObserver(&document)
+ , m_document(&document)
, m_crossOriginMode(crossOriginMode)
{
}
@@ -49,8 +51,17 @@
ASSERT(m_resources.isEmpty());
}
+void MediaResourceLoader::contextDestroyed()
+{
+ ContextDestructionObserver::contextDestroyed();
+ m_document = nullptr;
+}
+
RefPtr<PlatformMediaResource> MediaResourceLoader::requestResource(const ResourceRequest& request, LoadOptions options)
{
+ if (!m_document)
+ return nullptr;
+
DataBufferingPolicy bufferingPolicy = options & LoadOption::BufferData ? WebCore::BufferData : WebCore::DoNotBufferData;
RequestOriginPolicy corsPolicy = !m_crossOriginMode.isNull() ? PotentiallyCrossOriginEnabled : UseDefaultOriginRestrictionsForType;
StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
@@ -60,9 +71,9 @@
CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching));
if (!m_crossOriginMode.isNull())
- updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
+ updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document->securityOrigin(), allowCredentials);
- CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestMedia(cacheRequest);
+ CachedResourceHandle<CachedRawResource> resource = m_document->cachedResourceLoader().requestMedia(cacheRequest);
if (!resource)
return nullptr;
@@ -116,10 +127,13 @@
{
ASSERT_UNUSED(resource, resource == m_resource);
+ if (!m_loader->document())
+ return;
+
RefPtr<MediaResource> protect(this);
- if (!m_loader->crossOriginMode().isNull() && !resource->passesSameOriginPolicyCheck(*m_loader->document().securityOrigin())) {
+ if (!m_loader->crossOriginMode().isNull() && !resource->passesSameOriginPolicyCheck(*m_loader->document()->securityOrigin())) {
static NeverDestroyed<const String> consoleMessage("Cross-origin media resource load denied by Cross-Origin Resource Sharing policy.");
- m_loader->document().addConsoleMessage(MessageSource::Security, MessageLevel::Error, consoleMessage.get());
+ m_loader->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, consoleMessage.get());
m_didPassAccessControlCheck = false;
if (m_client)
m_client->accessControlCheckFailed(*this, ResourceError(errorDomainWebKitInternal, 0, response.url(), consoleMessage.get()));
Modified: trunk/Source/WebCore/loader/MediaResourceLoader.h (198548 => 198549)
--- trunk/Source/WebCore/loader/MediaResourceLoader.h 2016-03-22 20:29:40 UTC (rev 198548)
+++ trunk/Source/WebCore/loader/MediaResourceLoader.h 2016-03-22 20:56:38 UTC (rev 198549)
@@ -29,6 +29,7 @@
#if ENABLE(VIDEO)
#include "CachedRawResourceClient.h"
#include "CachedResourceHandle.h"
+#include "ContextDestructionObserver.h"
#include "PlatformMediaResourceLoader.h"
#include <wtf/HashSet.h>
#include <wtf/Ref.h>
@@ -40,7 +41,7 @@
class Document;
class MediaResource;
-class MediaResourceLoader final : public PlatformMediaResourceLoader {
+class MediaResourceLoader final : public PlatformMediaResourceLoader, public ContextDestructionObserver {
public:
WEBCORE_EXPORT MediaResourceLoader(Document&, const String& crossOriginMode);
WEBCORE_EXPORT virtual ~MediaResourceLoader();
@@ -48,11 +49,13 @@
RefPtr<PlatformMediaResource> requestResource(const ResourceRequest&, LoadOptions) override;
void removeResource(MediaResource&);
- Document& document() { return m_document; }
+ Document* document() { return m_document; }
const String& crossOriginMode() const { return m_crossOriginMode; }
private:
- Document& m_document;
+ void contextDestroyed() override;
+
+ Document* m_document;
String m_crossOriginMode;
HashSet<MediaResource*> m_resources;
};
