[webkit-changes] [252511] trunk/Source/WebCore

Fri, 15 Nov 2019 16:06:10 -0800

Title: [252511] trunk/Source/WebCore
Revision
252511
Author
jer.no...@apple.com
Date
2019-11-15 16:05:01 -0800 (Fri, 15 Nov 2019)

Log Message

CRASH in SourceBuffer::removeCodedFrames()
https://bugs.webkit.org/show_bug.cgi?id=204248

Reviewed by Eric Carlson.

Speculative fix for rare crash. It's possible that the startTime and endTime inputs to
removeCodedFrames() are out-of-order, which could lead to iterating off the end of the
SampleMap. Verify that startTime < endTime and bail out early if not true.

* Modules/mediasource/SourceBuffer.cpp:
(WebCore::SourceBuffer::removeCodedFrames):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (252510 => 252511)


--- trunk/Source/WebCore/ChangeLog	2019-11-15 23:54:32 UTC (rev 252510)
+++ trunk/Source/WebCore/ChangeLog	2019-11-16 00:05:01 UTC (rev 252511)
@@ -1,3 +1,17 @@
+2019-11-15  Jer Noble  <jer.no...@apple.com>
+
+        CRASH in SourceBuffer::removeCodedFrames()
+        https://bugs.webkit.org/show_bug.cgi?id=204248
+
+        Reviewed by Eric Carlson.
+
+        Speculative fix for rare crash. It's possible that the startTime and endTime inputs to
+        removeCodedFrames() are out-of-order, which could lead to iterating off the end of the
+        SampleMap. Verify that startTime < endTime and bail out early if not true.
+
+        * Modules/mediasource/SourceBuffer.cpp:
+        (WebCore::SourceBuffer::removeCodedFrames):
+
 2019-11-14  Ryosuke Niwa  <rn...@webkit.org>
 
         JS wrappers of scroll event targets can get prematurely collected by GC

Modified: trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp (252510 => 252511)


--- trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp	2019-11-15 23:54:32 UTC (rev 252510)
+++ trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp	2019-11-16 00:05:01 UTC (rev 252511)
@@ -801,6 +801,10 @@
 {
     DEBUG_LOG(LOGIDENTIFIER, "start = ", start, ", end = ", end);
 
+    ASSERT(start < end);
+    if (start >= end)
+        return;
+
     // 3.5.9 Coded Frame Removal Algorithm
     // https://dvcs.w3.org/hg/html-media/raw-file/tip/media-source/media-source.html#sourcebuffer-coded-frame-removal
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to