Skip to site navigation (Press enter)

[webkit-changes] [277177] trunk/Source/WebCore

cdumez Fri, 07 May 2021 09:43:25 -0700

Title: [277177] trunk/Source/WebCore

Revision: 277177
Author: cdu...@apple.com
Date: 2021-05-07 09:42:35 -0700 (Fri, 07 May 2021)

Log Message

AudioWorkletProcessor which does not extend base class crashes Safari
https://bugs.webkit.org/show_bug.cgi?id=225449
<rdar://problem/77624792>


Reviewed by Sam Weinig.

Update AudioWorkletGlobalScope::createProcessor() to validate the type of the processor
after constructing it.

* Modules/webaudio/AudioWorkletGlobalScope.cpp:
(WebCore::AudioWorkletGlobalScope::createProcessor):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (277176 => 277177)


--- trunk/Source/WebCore/ChangeLog	2021-05-07 16:21:55 UTC (rev 277176)
+++ trunk/Source/WebCore/ChangeLog	2021-05-07 16:42:35 UTC (rev 277177)
@@ -1,3 +1,17 @@
+2021-05-07  Chris Dumez  <cdu...@apple.com>
+
+        AudioWorkletProcessor which does not extend base class crashes Safari
+        https://bugs.webkit.org/show_bug.cgi?id=225449
+        <rdar://problem/77624792>
+
+        Reviewed by Sam Weinig.
+
+        Update AudioWorkletGlobalScope::createProcessor() to validate the type of the processor
+        after constructing it.
+
+        * Modules/webaudio/AudioWorkletGlobalScope.cpp:
+        (WebCore::AudioWorkletGlobalScope::createProcessor):
+
 2021-05-07  Philippe Normand  <pnorm...@igalia.com>
 
         [GStreamer][MediaStream] Emit black frames for disabled video tracks

Modified: trunk/Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp (277176 => 277177)


--- trunk/Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp	2021-05-07 16:21:55 UTC (rev 277176)
+++ trunk/Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp	2021-05-07 16:42:35 UTC (rev 277177)
@@ -150,10 +150,13 @@
     ASSERT(!!scope.exception() == !object);
     RETURN_IF_EXCEPTION(scope, nullptr);
 
-    auto& jsProcessor = *JSC::jsCast<JSAudioWorkletProcessor*>(object);
-    jsProcessor.wrapped().setProcessCallback(makeUnique<JSCallbackDataStrong>(&jsProcessor, globalObject));
+    auto* jsProcessor = JSC::jsDynamicCast<JSAudioWorkletProcessor*>(vm, object);
+    if (!jsProcessor)
+        return nullptr;
 
-    return &jsProcessor.wrapped();
+    jsProcessor->wrapped().setProcessCallback(makeUnique<JSCallbackDataStrong>(jsProcessor, globalObject));
+
+    return &jsProcessor->wrapped();
 }
 
 void AudioWorkletGlobalScope::prepareForDestruction()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes