Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: c6a8bc14421a84ab750428015a97cac14185e36a https://github.com/WebKit/WebKit/commit/c6a8bc14421a84ab750428015a97cac14185e36a Author: Youenn Fablet <youe...@gmail.com> Date: 2023-12-20 (Wed, 20 Dec 2023)
Changed paths: M LayoutTests/platform/glib/TestExpectations A LayoutTests/webrtc/processIceTransportStateChange-gc-expected.txt A LayoutTests/webrtc/processIceTransportStateChange-gc.html M Source/WebCore/Modules/mediastream/RTCIceTransport.cpp M Source/WebCore/Modules/mediastream/RTCIceTransport.h Log Message: ----------- Use-after-free in RTCPeerConnection::processIceTransportStateChange rdar://117526483 Reviewed by Jean-Yves Avenard. RTCIceTransport is calling RTCPeerConnection::processIceTransportStateChange without protecting its RTCPeerConnection. processIceTransportStateChange can trigger JS execution so we need to protect the RTCPeerConnection. Make RTCIceTransport do so, and update RTCIceTransport connection getter to return a RefPtr instead of a raw pointer. * LayoutTests/webrtc/processIceTransportStateChange-gc-expected.txt: Added. * LayoutTests/webrtc/processIceTransportStateChange-gc.html: Added. * Source/WebCore/Modules/mediastream/RTCDtlsTransport.cpp: (WebCore::RTCDtlsTransport::onStateChanged): * Source/WebCore/Modules/mediastream/RTCIceTransport.cpp: (WebCore::RTCIceTransport::onStateChanged): * Source/WebCore/Modules/mediastream/RTCIceTransport.h: (WebCore::RTCIceTransport::connection const): Originally-landed-as: 267815.446@safari-7617-branch (8be2b8b167a1). rdar://119595786 Canonical link: https://commits.webkit.org/272392@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes