Changeset 206023 in webkit


Ignore:
Timestamp:
Sep 16, 2016 9:20:13 AM (8 years ago)
Author:
jer.noble@apple.com
Message:

[media-source] ASAN crash running imported/w3c/web-platform-tests/media-source/mediasource-remove.html
https://bugs.webkit.org/show_bug.cgi?id=162050

Reviewed by Brent Fulgham.

SampleMap::removeSample() was accessing the passed-in sample after removing it from its own storage. If
the SampleMap held the last reference to the sample, it would end up acessing freed memory. Fix the
post-removal access, but also ensure that the caller, SourceBuffer::removeCodedFrames(), retains the
sample it passes into removeSample().

  • Modules/mediasource/SampleMap.cpp:

(WebCore::SampleMap::removeSample):

  • Modules/mediasource/SourceBuffer.cpp:

(WebCore::SourceBuffer::removeCodedFrames):

Location:
trunk/Source/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r206022 r206023  
     12016-09-16  Jer Noble  <jer.noble@apple.com>
     2
     3        [media-source] ASAN crash running imported/w3c/web-platform-tests/media-source/mediasource-remove.html
     4        https://bugs.webkit.org/show_bug.cgi?id=162050
     5
     6        Reviewed by Brent Fulgham.
     7
     8        SampleMap::removeSample() was accessing the passed-in sample after removing it from its own storage. If
     9        the SampleMap held the last reference to the sample, it would end up acessing freed memory. Fix the
     10        post-removal access, but also ensure that the caller, SourceBuffer::removeCodedFrames(), retains the
     11        sample it passes into removeSample().
     12
     13        * Modules/mediasource/SampleMap.cpp:
     14        (WebCore::SampleMap::removeSample):
     15        * Modules/mediasource/SourceBuffer.cpp:
     16        (WebCore::SourceBuffer::removeCodedFrames):
     17
    1182016-09-16  Javier Fernandez  <jfernandez@igalia.com>
    219
  • trunk/Source/WebCore/Modules/mediasource/SampleMap.cpp

    r204239 r206023  
    126126    MediaTime presentationTime = sample->presentationTime();
    127127
     128    m_totalSize -= sample->sizeInBytes();
     129
     130    auto decodeKey = DecodeOrderSampleMap::KeyType(sample->decodeTime(), presentationTime);
    128131    presentationOrder().m_samples.erase(presentationTime);
    129 
    130     auto decodeKey = DecodeOrderSampleMap::KeyType(sample->decodeTime(), presentationTime);
    131132    decodeOrder().m_samples.erase(decodeKey);
    132 
    133     m_totalSize -= sample->sizeInBytes();
    134133}
    135134
  • trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp

    r206001 r206023  
    771771            if (sampleIterator == trackBuffer.samples.presentationOrder().end())
    772772                return;
    773             if (!sampleIterator->second->isDivisable())
     773            RefPtr<MediaSample> sample = sampleIterator->second;
     774            if (!sample->isDivisable())
    774775                return;
    775             std::pair<RefPtr<MediaSample>, RefPtr<MediaSample>> replacementSamples = sampleIterator->second->divide(time);
     776            std::pair<RefPtr<MediaSample>, RefPtr<MediaSample>> replacementSamples = sample->divide(time);
    776777            if (!replacementSamples.first || !replacementSamples.second)
    777778                return;
    778779            LOG(MediaSource, "SourceBuffer::removeCodedFrames(%p) - splitting sample (%s) into\n\t(%s)\n\t(%s)", this,
    779                 toString(sampleIterator->second).utf8().data(),
     780                toString(sample).utf8().data(),
    780781                toString(replacementSamples.first).utf8().data(),
    781782                toString(replacementSamples.second).utf8().data());
    782             trackBuffer.samples.removeSample(sampleIterator->second.get());
     783            trackBuffer.samples.removeSample(sample.get());
    783784            trackBuffer.samples.addSample(*replacementSamples.first);
    784785            trackBuffer.samples.addSample(*replacementSamples.second);
Note: See TracChangeset for help on using the changeset viewer.