[webkit-changes] [WebKit/WebKit] 7c6d29: GuardMalloc crash in MediaStreamAudioSource::consu...

Wed, 10 Dec 2025 13:29:26 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7c6d29846903b70418c711864f663874b8bcec3b
      
https://github.com/WebKit/WebKit/commit/7c6d29846903b70418c711864f663874b8bcec3b
  Author: Jer Noble <[email protected]>
  Date:   2025-12-10 (Wed, 10 Dec 2025)

  Changed paths:
    M Source/WebCore/Modules/webaudio/AudioBasicInspectorNode.h
    M Source/WebCore/Modules/webaudio/MediaStreamAudioDestinationNode.cpp
    M Source/WebCore/Modules/webaudio/MediaStreamAudioDestinationNode.h
    M Source/WebCore/Modules/webaudio/MediaStreamAudioSource.cpp
    M Source/WebCore/Modules/webaudio/MediaStreamAudioSource.h
    M Source/WebCore/Modules/webaudio/MediaStreamAudioSourceCocoa.cpp

  Log Message:
  -----------
  GuardMalloc crash in MediaStreamAudioSource::consumeAudio(...)
https://bugs.webkit.org/show_bug.cgi?id=298971
rdar://150526896

Reviewed by Eric Carlson.

MediaStreamAudioSource::consumeAudio() will re-create its WebAudioBufferList 
when it detects
that the buffer list's channelCount() does not match the incoming AudioBus's 
numberOfChannels().
However, this is a logic error; WebAudioBufferList::channelCount() returns the 
number of
interleaved channels within each of the list's buffers, not the number of 
buffers within the list.

Fix this logic error, and also move the creation/re-creation of the 
WebAudioBufferList outside
of consumeAudio(), and into a new method that is called when the nodes are 
reconfigured, and a
lock is taken on the render thread. Also, add a number of ASSERT checks that 
validate assumptions
we make about the memory layout of the WebAudioBufferList we are given.

* Source/WebCore/Modules/webaudio/AudioBasicInspectorNode.h:
* Source/WebCore/Modules/webaudio/MediaStreamAudioDestinationNode.cpp:
(WebCore::MediaStreamAudioDestinationNode::checkNumberOfChannelsForInput):
* Source/WebCore/Modules/webaudio/MediaStreamAudioDestinationNode.h:
* Source/WebCore/Modules/webaudio/MediaStreamAudioSource.cpp:
(WebCore::MediaStreamAudioSource::setNumberOfChannels):
* Source/WebCore/Modules/webaudio/MediaStreamAudioSource.h:
* Source/WebCore/Modules/webaudio/MediaStreamAudioSourceCocoa.cpp:
(WebCore::copyChannelData):
(WebCore::MediaStreamAudioSource::setNumberOfChannels):
(WebCore::MediaStreamAudioSource::consumeAudio):

Originally-landed-as: 297297.425@safari-7622-branch (26ee022968ca). 
rdar://164214101
Canonical link: https://commits.webkit.org/304256@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to