[webkit-changes] [199254] branches/safari-601.1.46-branch/Source/WebCore

Fri, 08 Apr 2016 16:00:24 -0700

Title: [199254] branches/safari-601.1.46-branch/Source/WebCore
Revision
199254
Author
[email protected]
Date
2016-04-08 15:59:58 -0700 (Fri, 08 Apr 2016)

Log Message

Merged r199252. rdar://problem/25533763


Modified Paths

Diff

Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (199253 => 199254)


--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-04-08 22:54:50 UTC (rev 199253)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-04-08 22:59:58 UTC (rev 199254)
@@ -1,3 +1,23 @@
+2016-04-08  Babak Shafiei  <[email protected]>
+
+        Merge r199252.
+
+    2016-04-08  Jer Noble  <[email protected]>
+
+            CRASH in AudioDestinationNode::render()
+            https://bugs.webkit.org/show_bug.cgi?id=156308
+
+            Reviewed by Eric Carlson.
+
+            Yet another math error in AudioDestinationIOS::render(). It is possible for the difference between
+            m_startSpareFrame and m_endSpareFrame to be greater than the numberOfFrames to be rendered. Protect
+            against this case by taking the min() of those two values and only advancing m_startSpareFrame by
+            that amount.  This guarantees that framesThisTime will never underflow, and that data will not be
+            written past the end of the ioData parameter.
+
+            * platform/audio/ios/AudioDestinationIOS.cpp:
+            (WebCore::AudioDestinationIOS::render):
+
 2016-04-06  Matthew Hanson  <[email protected]>
 
         Merge r199116. rdar://problem/25468815

Modified: branches/safari-601.1.46-branch/Source/WebCore/platform/audio/ios/AudioDestinationIOS.cpp (199253 => 199254)


--- branches/safari-601.1.46-branch/Source/WebCore/platform/audio/ios/AudioDestinationIOS.cpp	2016-04-08 22:54:50 UTC (rev 199253)
+++ branches/safari-601.1.46-branch/Source/WebCore/platform/audio/ios/AudioDestinationIOS.cpp	2016-04-08 22:59:58 UTC (rev 199254)
@@ -217,15 +217,14 @@
     UInt32 framesRemaining = numberOfFrames;
     UInt32 frameOffset = 0;
     while (framesRemaining > 0) {
-        if (m_startSpareFrame && m_endSpareFrame) {
+        if (m_startSpareFrame < m_endSpareFrame) {
             ASSERT(m_startSpareFrame < m_endSpareFrame);
-            UInt32 framesThisTime = m_endSpareFrame - m_startSpareFrame;
+            UInt32 framesThisTime = std::min(m_endSpareFrame - m_startSpareFrame, numberOfFrames);
             assignAudioBuffersToBus(buffers, *m_renderBus, numberOfBuffers, numberOfFrames, frameOffset, framesThisTime);
             m_renderBus->copyFromRange(*m_spareBus, m_startSpareFrame, m_endSpareFrame);
             frameOffset += framesThisTime;
             framesRemaining -= framesThisTime;
-            m_startSpareFrame = 0;
-            m_endSpareFrame = 0;
+            m_startSpareFrame += framesThisTime;
         }
 
         UInt32 framesThisTime = std::min<UInt32>(kRenderBufferSize, framesRemaining);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to