Title: [141127] trunk
- Revision
- 141127
- Author
- vcarb...@chromium.org
- Date
- 2013-01-29 09:52:17 -0800 (Tue, 29 Jan 2013)
Log Message
Heap-use-after-free in WebCore::RenderTextTrackCue::layout
https://bugs.webkit.org/show_bug.cgi?id=108197
Reviewed by Eric Carlson.
Source/WebCore:
Test: media/track/track-cue-rendering-tree-is-removed-properly.html
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::textTrackRemoveCue): Ensure the display tree
is removed when the cue is removed from the list of cues.
* html/track/TextTrackCue.cpp:
(WebCore::TextTrackCue::~TextTrackCue): Enfore display tree removal.
LayoutTests:
Added test that triggers the crash. Verified proper removal of the tree.
* media/track/track-cue-rendering-tree-is-removed-properly-expected.txt: Added.
* media/track/track-cue-rendering-tree-is-removed-properly.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (141126 => 141127)
--- trunk/LayoutTests/ChangeLog 2013-01-29 17:50:53 UTC (rev 141126)
+++ trunk/LayoutTests/ChangeLog 2013-01-29 17:52:17 UTC (rev 141127)
@@ -1,3 +1,15 @@
+2013-01-29 Victor Carbune <vcarb...@chromium.org>
+
+ Heap-use-after-free in WebCore::RenderTextTrackCue::layout
+ https://bugs.webkit.org/show_bug.cgi?id=108197
+
+ Reviewed by Eric Carlson.
+
+ Added test that triggers the crash. Verified proper removal of the tree.
+
+ * media/track/track-cue-rendering-tree-is-removed-properly-expected.txt: Added.
+ * media/track/track-cue-rendering-tree-is-removed-properly.html: Added.
+
2013-01-29 Ádám Kallai <ka...@inf.u-szeged.hu>
[Qt] Unreviewed gardening. Skip a failing ref html test.
Added: trunk/LayoutTests/media/track/track-cue-rendering-tree-is-removed-properly-expected.txt (0 => 141127)
--- trunk/LayoutTests/media/track/track-cue-rendering-tree-is-removed-properly-expected.txt (rev 0)
+++ trunk/LayoutTests/media/track/track-cue-rendering-tree-is-removed-properly-expected.txt 2013-01-29 17:52:17 UTC (rev 141127)
@@ -0,0 +1,16 @@
+Tests that the cue display tree has been removed properly and no crash happens.
+
+** Set the mode of the text track to showing **
+
+** Initialize the video element **
+EVENT(canplaythrough)
+
+** Empty the contents of the video element when it is ready to play **
+
+** Text track should not be rendered anymore **
+No text track cue with display id '-webkit-media-text-track-display' is currently visible
+
+No crash. PASS.
+
+END OF TEST
+
Added: trunk/LayoutTests/media/track/track-cue-rendering-tree-is-removed-properly.html (0 => 141127)
--- trunk/LayoutTests/media/track/track-cue-rendering-tree-is-removed-properly.html (rev 0)
+++ trunk/LayoutTests/media/track/track-cue-rendering-tree-is-removed-properly.html 2013-01-29 17:52:17 UTC (rev 141127)
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+
+ <script src=""
+ <script src=""
+ <script src=""
+
+ <script>
+ function emptyVideoTextContent()
+ {
+ consoleWrite("");
+ consoleWrite("** Empty the contents of the video element when it is ready to play **");
+ video.textContent = "";
+
+ consoleWrite("");
+ consoleWrite("** Text track should not be rendered anymore **");
+ try {
+ var textTrackCueBox = textTrackDisplayElement(video, 'display');
+ } catch (e) {
+ consoleWrite(e);
+ }
+
+ consoleWrite("");
+ consoleWrite("No crash. PASS.");
+ consoleWrite("");
+
+ endTest();
+ }
+
+ function initElements()
+ {
+ consoleWrite("** Set the mode of the text track to showing **");
+ testTrack = document.querySelector('track');
+ testTrack.track.mode = "showing";
+
+ consoleWrite("");
+ consoleWrite("** Initialize the video element **");
+ findMediaElement();
+ video.src = "" '../content/test');
+
+ video.play();
+ waitForEvent('canplaythrough', emptyVideoTextContent);
+ }
+
+ </script>
+ </head>
+ <body _onload_="initElements()">
+ <p>Tests that the cue display tree has been removed properly and no crash happens.</p>
+ <video controls>
+ <track src="" kind="captions">
+ </video>
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (141126 => 141127)
--- trunk/Source/WebCore/ChangeLog 2013-01-29 17:50:53 UTC (rev 141126)
+++ trunk/Source/WebCore/ChangeLog 2013-01-29 17:52:17 UTC (rev 141127)
@@ -1,3 +1,18 @@
+2013-01-29 Victor Carbune <vcarb...@chromium.org>
+
+ Heap-use-after-free in WebCore::RenderTextTrackCue::layout
+ https://bugs.webkit.org/show_bug.cgi?id=108197
+
+ Reviewed by Eric Carlson.
+
+ Test: media/track/track-cue-rendering-tree-is-removed-properly.html
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::textTrackRemoveCue): Ensure the display tree
+ is removed when the cue is removed from the list of cues.
+ * html/track/TextTrackCue.cpp:
+ (WebCore::TextTrackCue::~TextTrackCue): Enfore display tree removal.
+
2013-01-29 Eli Fidler <efid...@rim.com>
On HarfbuzzNG ports, Arabic TATWEEL is not joined.
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (141126 => 141127)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2013-01-29 17:50:53 UTC (rev 141126)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2013-01-29 17:52:17 UTC (rev 141127)
@@ -1438,6 +1438,7 @@
if (index != notFound)
m_currentlyActiveCues.remove(index);
+ cue->removeDisplayTree();
updateActiveTextTrackCues(currentTime());
}
Modified: trunk/Source/WebCore/html/track/TextTrackCue.cpp (141126 => 141127)
--- trunk/Source/WebCore/html/track/TextTrackCue.cpp 2013-01-29 17:50:53 UTC (rev 141126)
+++ trunk/Source/WebCore/html/track/TextTrackCue.cpp 2013-01-29 17:52:17 UTC (rev 141127)
@@ -225,6 +225,7 @@
TextTrackCue::~TextTrackCue()
{
+ removeDisplayTree();
}
PassRefPtr<TextTrackCueBox> TextTrackCue::createDisplayTree()
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
