[webkit-changes] [WebKit/WebKit] 8c8609: Fix heap-use-after-free in AudioVideoRendererAVFOb...

Fri, 22 May 2026 00:20:24 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8c860928affff1fd35c969c385e10f94b8cdcc36
      
https://github.com/WebKit/WebKit/commit/8c860928affff1fd35c969c385e10f94b8cdcc36
  Author: Jean-Yves Avenard <[email protected]>
  Date:   2026-05-22 (Fri, 22 May 2026)

  Changed paths:
    M Source/WebCore/platform/graphics/avfoundation/AudioVideoRendererAVFObjC.h
    M Source/WebCore/platform/graphics/avfoundation/AudioVideoRendererAVFObjC.mm

  Log Message:
  -----------
  Fix heap-use-after-free in AudioVideoRendererAVFObjC::setTimeObserver when 
callback re-entrantly reinstalls the time observer
https://bugs.webkit.org/show_bug.cgi?id=315339
rdar://177666693

Reviewed by Youenn Fablet.

The periodic time observer block invoked m_currentTimeDidChangeCallback
through the C++ object. If the callback re-entered setTimeObserver(),
the member was moved-assigned with a new Function, destroying the one
whose operator() was still on the stack — a use-after-free.

Stop storing the callback as a member entirely. Move-capture it into the
Objective-C block via makeBlockPtr() instead, mirroring the pattern
already used by setPerformTaskAtTime() a few lines above. Each
setTimeObserver() call now installs a fresh block with its own captured
callback; re-entry replaces m_timeChangedObserver but the old block
runs to completion against its own captures (kept alive by
ObjC/dispatch for the duration of the in-flight invocation) before
being released. No member to fight over, no restore dance, no UAF
window.

Covered by existing tests.

* Source/WebCore/platform/graphics/avfoundation/AudioVideoRendererAVFObjC.h:
Remove m_currentTimeDidChangeCallback member; it is now captured by
the periodic time observer block.

* Source/WebCore/platform/graphics/avfoundation/AudioVideoRendererAVFObjC.mm:
(WebCore::AudioVideoRendererAVFObjC::setTimeObserver): Capture the
callback in the block via makeBlockPtr move-capture. Early-return if
the caller passes a null callback so cancelTimeObserver() still runs
but no fresh observer is installed.

Canonical link: https://commits.webkit.org/313715@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to