Changeset 206023 in webkit
- Timestamp:
- Sep 16, 2016 9:20:13 AM (8 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r206022 r206023 1 2016-09-16 Jer Noble <jer.noble@apple.com> 2 3 [media-source] ASAN crash running imported/w3c/web-platform-tests/media-source/mediasource-remove.html 4 https://bugs.webkit.org/show_bug.cgi?id=162050 5 6 Reviewed by Brent Fulgham. 7 8 SampleMap::removeSample() was accessing the passed-in sample after removing it from its own storage. If 9 the SampleMap held the last reference to the sample, it would end up acessing freed memory. Fix the 10 post-removal access, but also ensure that the caller, SourceBuffer::removeCodedFrames(), retains the 11 sample it passes into removeSample(). 12 13 * Modules/mediasource/SampleMap.cpp: 14 (WebCore::SampleMap::removeSample): 15 * Modules/mediasource/SourceBuffer.cpp: 16 (WebCore::SourceBuffer::removeCodedFrames): 17 1 18 2016-09-16 Javier Fernandez <jfernandez@igalia.com> 2 19 -
trunk/Source/WebCore/Modules/mediasource/SampleMap.cpp
r204239 r206023 126 126 MediaTime presentationTime = sample->presentationTime(); 127 127 128 m_totalSize -= sample->sizeInBytes(); 129 130 auto decodeKey = DecodeOrderSampleMap::KeyType(sample->decodeTime(), presentationTime); 128 131 presentationOrder().m_samples.erase(presentationTime); 129 130 auto decodeKey = DecodeOrderSampleMap::KeyType(sample->decodeTime(), presentationTime);131 132 decodeOrder().m_samples.erase(decodeKey); 132 133 m_totalSize -= sample->sizeInBytes();134 133 } 135 134 -
trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp
r206001 r206023 771 771 if (sampleIterator == trackBuffer.samples.presentationOrder().end()) 772 772 return; 773 if (!sampleIterator->second->isDivisable()) 773 RefPtr<MediaSample> sample = sampleIterator->second; 774 if (!sample->isDivisable()) 774 775 return; 775 std::pair<RefPtr<MediaSample>, RefPtr<MediaSample>> replacementSamples = sample Iterator->second->divide(time);776 std::pair<RefPtr<MediaSample>, RefPtr<MediaSample>> replacementSamples = sample->divide(time); 776 777 if (!replacementSamples.first || !replacementSamples.second) 777 778 return; 778 779 LOG(MediaSource, "SourceBuffer::removeCodedFrames(%p) - splitting sample (%s) into\n\t(%s)\n\t(%s)", this, 779 toString(sample Iterator->second).utf8().data(),780 toString(sample).utf8().data(), 780 781 toString(replacementSamples.first).utf8().data(), 781 782 toString(replacementSamples.second).utf8().data()); 782 trackBuffer.samples.removeSample(sample Iterator->second.get());783 trackBuffer.samples.removeSample(sample.get()); 783 784 trackBuffer.samples.addSample(*replacementSamples.first); 784 785 trackBuffer.samples.addSample(*replacementSamples.second);
Note: See TracChangeset
for help on using the changeset viewer.