Changeset 231920 in webkit

Timestamp:

May 17, 2018 2:02:23 PM (6 years ago)

Author:

jer.noble@apple.com

Message:

CRASH in ImageDecoderAVFObjC::sampleAtIndex()
​https://bugs.webkit.org/show_bug.cgi?id=185734
<rdar://problem/40295094>

Reviewed by Eric Carlson.

Source/WebCore:

Test: fast/images/animated-image-mp4-crash.html

Test the correct size value before iterating over the SampleMap in presentationOrder()

• Modules/mediasource/SampleMap.h:

(WebCore::PresentationOrderSampleMap::size const):

• platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm:

(WebCore::ImageDecoderAVFObjC::sampleAtIndex const):

LayoutTests:

• fast/images/animated-image-mp4-crash-expected.txt: Added.
• fast/images/animated-image-mp4-crash.html: Added.
• fast/images/resources/two-samples-with-same-pts.mp4: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/images/animated-image-mp4-crash-expected.txt (added)
• LayoutTests/fast/images/animated-image-mp4-crash.html (added)
• LayoutTests/fast/images/resources/two-samples-with-same-pts.mp4 (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/mediasource/SampleMap.h (modified) (1 diff)
• Source/WebCore/platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-05-17  Jer Noble  <jer.noble@apple.com>
+
+        CRASH in ImageDecoderAVFObjC::sampleAtIndex()
+        https://bugs.webkit.org/show_bug.cgi?id=185734
+        <rdar://problem/40295094>
+
+        Reviewed by Eric Carlson.
+
+        * fast/images/animated-image-mp4-crash-expected.txt: Added.
+        * fast/images/animated-image-mp4-crash.html: Added.
+        * fast/images/resources/two-samples-with-same-pts.mp4: Added.
+
 2018-05-17  Youenn Fablet  <youenn@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-05-17  Jer Noble  <jer.noble@apple.com>
+
+        CRASH in ImageDecoderAVFObjC::sampleAtIndex()
+        https://bugs.webkit.org/show_bug.cgi?id=185734
+        <rdar://problem/40295094>
+
+        Reviewed by Eric Carlson.
+
+        Test: fast/images/animated-image-mp4-crash.html
+
+        Test the correct size value before iterating over the SampleMap in presentationOrder()
+
+        * Modules/mediasource/SampleMap.h:
+        (WebCore::PresentationOrderSampleMap::size const):
+        * platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm:
+        (WebCore::ImageDecoderAVFObjC::sampleAtIndex const):
+
 2018-05-17  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebCore/Modules/mediasource/SampleMap.h

@@ -54 +54 @@
     reverse_iterator rend() { return m_samples.rend(); }
     const_reverse_iterator rend() const { return m_samples.rend(); }
+
+    size_t size() const { return m_samples.size(); }
 
     WEBCORE_EXPORT iterator findSampleWithPresentationTime(const MediaTime&);

trunk/Source/WebCore/platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm

@@ -671 +671 @@
 const ImageDecoderAVFObjCSample* ImageDecoderAVFObjC::sampleAtIndex(size_t index) const
 {
-    if (index >= m_sampleData.size())
+    if (index >= m_sampleData.presentationOrder().size())
         return nullptr;
 
@@ -680 +680 @@
     for (size_t i = 0; i != index; ++i)
         ++iter;
-    
+
     return toSample(iter);
 }