Context Navigation

← Previous Changeset
Next Changeset →

Changeset 210945 in webkit

Timestamp:

Jan 19, 2017 5:09:20 PM (7 years ago)

Author:

jer.noble@apple.com

Message:

CRASH at WebCore::TrackListBase::remove
https://bugs.webkit.org/show_bug.cgi?id=167217

Reviewed by Brent Fulgham.

Source/WebCore:

Test: media/media-source/media-source-error-crash.html

In very specific conditions, a HTMLMediaElement backed by a MediaSource can try to remove
the same track from its track list twice. If there are two SourceBuffers attached to a
HTMLMediaElement, and one has not yet been initialized, when the second fails to parse an
appended buffer after receiving an initialization segment, the HTMLMediaElement will remove
all its tracks in mediaLoadingFailed(), then MediaSource object itself will attempt remove
the same track in removeSourceBuffer().

Solving this the safest way possible: bail early from TrackListBase if asked to remove a
track which the list does not contain.

html/track/TrackListBase.cpp:

(TrackListBase::remove):

LayoutTests:

media/media-source/media-source-error-crash-expected.txt: Added.
media/media-source/media-source-error-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 3 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/media/media-source/media-source-error-crash-expected.txt (added)
LayoutTests/media/media-source/media-source-error-crash.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/html/track/TrackListBase.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r210941
+                      r210945
+-01-19  Jer Noble  <jer.noble@apple.com>
+        CRASH at WebCore::TrackListBase::remove
+        https://bugs.webkit.org/show_bug.cgi?id=167217
+        Reviewed by Brent Fulgham.
+        * media/media-source/media-source-error-crash-expected.txt: Added.
+        * media/media-source/media-source-error-crash.html: Added.
 -01-19  Megan Gardner  <megan_gardner@apple.com>

trunk/Source/WebCore/ChangeLog

-                      r210943
+                      r210945
+-01-19  Jer Noble  <jer.noble@apple.com>
+        CRASH at WebCore::TrackListBase::remove
+        https://bugs.webkit.org/show_bug.cgi?id=167217
+        Reviewed by Brent Fulgham.
+        Test: media/media-source/media-source-error-crash.html
+        In very specific conditions, a HTMLMediaElement backed by a MediaSource can try to remove
+        the same track from its track list twice. If there are two SourceBuffers attached to a
+        HTMLMediaElement, and one has not yet been initialized, when the second fails to parse an
+        appended buffer after receiving an initialization segment, the HTMLMediaElement will remove
+        all its tracks in mediaLoadingFailed(), then MediaSource object itself will attempt remove
+        the same track in removeSourceBuffer().
+        Solving this the safest way possible: bail early from TrackListBase if asked to remove a
+        track which the list does not contain.
+        * html/track/TrackListBase.cpp:
+        (TrackListBase::remove):
 -01-19  Andy Estes  <aestes@apple.com>

trunk/Source/WebCore/html/track/TrackListBase.cpp

-                      r206127
+                      r210945
+{
     size_t index = m_inbandTracks.find(&track);
+    ASSERT(index != notFound);
+    if (index == notFound)
+        return;
     if (track.mediaElement()) {

Note: See TracChangeset for help on using the changeset viewer.