Changeset 211495 in webkit
- Timestamp:
- Feb 1, 2017 10:22:21 AM (7 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r211491 r211495 1 2017-02-01 Jer Noble <jer.noble@apple.com> 2 3 NULL-deref crash in TextTrack::removeCue() 4 https://bugs.webkit.org/show_bug.cgi?id=167615 5 6 Reviewed by Eric Carlson. 7 8 * http/tests/media/track-in-band-hls-metadata-crash-expected.txt: Added. 9 * http/tests/media/track-in-band-hls-metadata-crash.html: Added. 10 1 11 2017-02-01 Nan Wang <n_wang@apple.com> 2 12 -
trunk/Source/WebCore/ChangeLog
r211491 r211495 1 2017-02-01 Jer Noble <jer.noble@apple.com> 2 3 NULL-deref crash in TextTrack::removeCue() 4 https://bugs.webkit.org/show_bug.cgi?id=167615 5 6 Reviewed by Eric Carlson. 7 8 Test: http/tests/media/track-in-band-hls-metadata-crash.html 9 10 Follow-up to r211401. When passing around a reference to an object, the assumption is that 11 the caller is retaining the underlying object. This breaks down for 12 InbandDataTextTrack::removeDataCue(), which releases its own ownership of the cue object, 13 then passes the reference to that object to its superclass to do further remove steps. The 14 retain count of the cue can thus drop to zero within the scope of 15 InbandTextTrack::removeCue(). Use "take" semantics to remove the cue from the 16 m_incompleteCueMap without releasing ownership, and pass a reference to that retained object 17 on to removeCue(), guaranteeing that the cue will not be destroyed until after the 18 romeveDataCue() method returns. 19 20 * html/track/InbandDataTextTrack.cpp: 21 (WebCore::InbandDataTextTrack::removeDataCue): 22 1 23 2017-02-01 Nan Wang <n_wang@apple.com> 2 24 -
trunk/Source/WebCore/html/track/InbandDataTextTrack.cpp
r210319 r211495 101 101 void InbandDataTextTrack::removeDataCue(const MediaTime&, const MediaTime&, SerializedPlatformRepresentation& platformValue) 102 102 { 103 if (auto * cue = m_incompleteCueMap.get(&platformValue)) {103 if (auto cue = m_incompleteCueMap.take(&platformValue)) { 104 104 LOG(Media, "InbandDataTextTrack::removeDataCue removing cue: start=%s, end=%s\n", toString(cue->startTime()).utf8().data(), toString(cue->endTime()).utf8().data()); 105 removeCue(*cue);105 InbandTextTrack::removeCue(*cue); 106 106 } 107 107 }
Note: See TracChangeset
for help on using the changeset viewer.