Changeset 211401 in webkit

Timestamp:

Jan 30, 2017 6:38:07 PM (7 years ago)

Author:

jer.noble@apple.com

Message:

NULL-deref crash in TextTrack::removeCue()
​https://bugs.webkit.org/show_bug.cgi?id=167615

Reviewed by Eric Carlson.

It's possible for a track to be removed which was never actually added to the cue list.
Specifically, if an in-band track with a negative start or end time was parsed, it would
have been rejected by TextTrack::addCue(). When it comes time to flush those in-band cues,
TextTrack::m_cues will still be NULL. Rather than ASSERT in this case, we should revert the
behavior added in r210319 and throw an exception.

• html/track/TextTrack.cpp:

(WebCore::TextTrack::removeCue):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• html/track/TextTrack.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-01-30  Jer Noble  <jer.noble@apple.com>
+
+        NULL-deref crash in TextTrack::removeCue()
+        https://bugs.webkit.org/show_bug.cgi?id=167615
+
+        Reviewed by Eric Carlson.
+
+        It's possible for a track to be removed which was never actually added to the cue list.
+        Specifically, if an in-band track with a negative start or end time was parsed, it would
+        have been rejected by TextTrack::addCue(). When it comes time to flush those in-band cues,
+        TextTrack::m_cues will still be NULL. Rather than ASSERT in this case, we should revert the
+        behavior added in r210319 and throw an exception.
+
+        * html/track/TextTrack.cpp:
+        (WebCore::TextTrack::removeCue):
+
 2017-01-30  Andreas Kling  <akling@apple.com>
 

trunk/Source/WebCore/html/track/TextTrack.cpp

@@ -334 +334 @@
     if (cue.track() != this)
         return Exception { NOT_FOUND_ERR };
+    if (!m_cues)
+        return Exception { INVALID_STATE_ERR };
 
     // 2. Remove cue from the method's TextTrack object's text track's text track list of cues.
-    ASSERT(m_cues);
     m_cues->remove(cue);
     cue.setIsActive(false);