Title: [167264] trunk/Source/WebCore
- Revision
- 167264
- Author
- jer.no...@apple.com
- Date
- 2014-04-14 13:37:52 -0700 (Mon, 14 Apr 2014)
Log Message
Use after free in WebCore::CachedResourceHandleBase::~CachedResourceHandleBase / WebCore::removeDetachedChildrenInContainer
https://bugs.webkit.org/show_bug.cgi?id=131169
Reviewed by Eric Carlson.
Invalidate the WebCoreAVFResourceLoader owned by MediaPlayerPrivateAVFoundationObjC
in its destructor, to prevent a private function being called in response to the
WebCoreAVFResourceLoader being stopped.
* platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
(WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC):
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h:
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::invalidate):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (167263 => 167264)
--- trunk/Source/WebCore/ChangeLog 2014-04-14 20:31:45 UTC (rev 167263)
+++ trunk/Source/WebCore/ChangeLog 2014-04-14 20:37:52 UTC (rev 167264)
@@ -1,3 +1,20 @@
+2014-04-14 Jer Noble <jer.no...@apple.com>
+
+ Use after free in WebCore::CachedResourceHandleBase::~CachedResourceHandleBase / WebCore::removeDetachedChildrenInContainer
+ https://bugs.webkit.org/show_bug.cgi?id=131169
+
+ Reviewed by Eric Carlson.
+
+ Invalidate the WebCoreAVFResourceLoader owned by MediaPlayerPrivateAVFoundationObjC
+ in its destructor, to prevent a private function being called in response to the
+ WebCoreAVFResourceLoader being stopped.
+
+ * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
+ (WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC):
+ * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h:
+ * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+ (WebCore::WebCoreAVFResourceLoader::invalidate):
+
2014-04-14 Simon Fraser <simon.fra...@apple.com>
[WK2 iOS] Scrolling to anchor links is broken
Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm (167263 => 167264)
--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm 2014-04-14 20:31:45 UTC (rev 167263)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm 2014-04-14 20:37:52 UTC (rev 167264)
@@ -369,6 +369,9 @@
#if HAVE(AVFOUNDATION_LOADER_DELEGATE)
[m_loaderDelegate.get() setCallback:0];
[[m_avAsset.get() resourceLoader] setDelegate:nil queue:0];
+
+ for (auto& pair : m_resourceLoaderMap)
+ pair.value->invalidate();
#endif
#if HAVE(AVFOUNDATION_VIDEO_OUTPUT)
[m_videoOutputDelegate setCallback:0];
Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h (167263 => 167264)
--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h 2014-04-14 20:31:45 UTC (rev 167263)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h 2014-04-14 20:37:52 UTC (rev 167264)
@@ -51,6 +51,7 @@
void startLoading();
void stopLoading();
+ void invalidate();
CachedRawResource* resource();
Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm (167263 => 167264)
--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2014-04-14 20:31:45 UTC (rev 167263)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2014-04-14 20:37:52 UTC (rev 167264)
@@ -63,7 +63,7 @@
void WebCoreAVFResourceLoader::startLoading()
{
- if (m_resource)
+ if (m_resource || !m_parent)
return;
URL requestURL = [[m_avRequest.get() request] URL];
@@ -89,9 +89,16 @@
m_resource->removeClient(this);
m_resource = 0;
- m_parent->didStopLoadingRequest(m_avRequest.get());
+ if (m_parent)
+ m_parent->didStopLoadingRequest(m_avRequest.get());
}
+void WebCoreAVFResourceLoader::invalidate()
+{
+ m_parent = nullptr;
+ stopLoading();
+}
+
void WebCoreAVFResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)
{
ASSERT(resource == m_resource);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes