Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 6ae06410764e65994ee9d4c50e1811caa6348ddf https://github.com/WebKit/WebKit/commit/6ae06410764e65994ee9d4c50e1811caa6348ddf Author: Youenn Fablet <you...@apple.com> Date: 2024-05-23 (Thu, 23 May 2024)
Changed paths: A LayoutTests/http/wpt/webcodecs/copyTo-same-decoder-expected.txt A LayoutTests/http/wpt/webcodecs/copyTo-same-decoder.html M Source/WebCore/platform/libwebrtc/LibWebRTCVPXVideoDecoder.cpp Log Message: ----------- Race condition in LibWebRTCVPXInternalVideoDecoder::pixelBufferPool leading to memory corruption rdar://125957410 Reviewed by Chris Dumez. Add a lock to make sure creation of the pixel buffer happens correctly. * LayoutTests/http/wpt/webcodecs/copyTo-same-decoder-expected.txt: Added. * LayoutTests/http/wpt/webcodecs/copyTo-same-decoder.html: Added. * Source/WebCore/platform/libwebrtc/LibWebRTCVPXVideoDecoder.cpp: (WebCore::LibWebRTCVPXInternalVideoDecoder::createPixelBuffer): (WebCore::LibWebRTCVPXInternalVideoDecoder::Decoded): Originally-landed-as: 272448.909@safari-7618-branch (b50f1990af6e). rdar://128572002 Canonical link: https://commits.webkit.org/279196@main Commit: 7d0a50fadc7c19bf49866aaa29380fdc6f6738a5 https://github.com/WebKit/WebKit/commit/7d0a50fadc7c19bf49866aaa29380fdc6f6738a5 Author: Chris Dumez <cdu...@apple.com> Date: 2024-05-23 (Thu, 23 May 2024) Changed paths: M Source/WebCore/Modules/webaudio/AudioBuffer.cpp M Source/WebCore/Modules/webaudio/AudioBuffer.h M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp M Source/WebCore/Modules/webaudio/AudioBufferSourceNode.h Log Message: ----------- [WebAudio] Use-after-free in WebCore::AudioBufferSourceNode::renderFromBuffer https://bugs.webkit.org/show_bug.cgi?id=272607 rdar://126326144 Reviewed by Yusuke Suzuki. The JS on the main thread can detach the AudioBuffer's channels while it is being read by the audio rendering thread, causing use-after-frees. In a previous fix attempt, we starting copying the AudioBuffer's channels so that the audio thread would read a copy instead. However, the increased memory usage resulted in increased jetsams on gaming sites. As a temporary stop gap measure, this patch simply marks the AudioBuffer's channels as non-detachable to prevent the issue. This is not quite spec compliant but it addresses the security issue until we can implement the specification correctly without causing jetsams. * Source/WebCore/Modules/webaudio/AudioBuffer.cpp: (WebCore::AudioBuffer::markBuffersAsNonDetachable): * Source/WebCore/Modules/webaudio/AudioBuffer.h: * Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp: (WebCore::AudioBufferSourceNode::acquireBufferContent): (WebCore::AudioBufferSourceNode::setBufferForBindings): (WebCore::AudioBufferSourceNode::startPlaying): * Source/WebCore/Modules/webaudio/AudioBufferSourceNode.h: Originally-landed-as: 272448.925@safari-7618-branch (4201e96638f0). rdar://128572657 Canonical link: https://commits.webkit.org/279197@main Compare: https://github.com/WebKit/WebKit/compare/14ea1c163233...7d0a50fadc7c To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes