[webkit-changes] [143166] branches/chromium/1364/Source/WebCore/Modules/mediastream

Mon, 18 Feb 2013 00:59:05 -0800

Title: [143166] branches/chromium/1364/Source/WebCore/Modules/mediastream
Revision
143166
Author
tom...@google.com
Date
2013-02-18 01:00:56 -0800 (Mon, 18 Feb 2013)

Log Message

Merge 142887
> MediaStream API: RTCDataChannel triggers a use-after-free
> https://bugs.webkit.org/show_bug.cgi?id=109806
> 
> Reviewed by Adam Barth.
> 
> Making sure RTCPeerConnection::stop() is always called at least once.
> Also making sure that RTCDataChannels state gets set to Closed correctly.
> 
> Hard to test in WebKit but covered by Chromium tests.
> 
> * Modules/mediastream/RTCDataChannel.cpp:
> (WebCore::RTCDataChannel::stop):
> * Modules/mediastream/RTCPeerConnection.cpp:
> (WebCore::RTCPeerConnection::~RTCPeerConnection):
> (WebCore::RTCPeerConnection::stop):
> 

TBR=tom...@google.com
Review URL: https://codereview.chromium.org/12301006

Modified Paths

Diff

Modified: branches/chromium/1364/Source/WebCore/Modules/mediastream/RTCDataChannel.cpp (143165 => 143166)


--- branches/chromium/1364/Source/WebCore/Modules/mediastream/RTCDataChannel.cpp	2013-02-18 08:59:05 UTC (rev 143165)
+++ branches/chromium/1364/Source/WebCore/Modules/mediastream/RTCDataChannel.cpp	2013-02-18 09:00:56 UTC (rev 143166)
@@ -243,6 +243,7 @@
 void RTCDataChannel::stop()
 {
     m_stopped = true;
+    m_readyState = ReadyStateClosed;
     m_handler->setClient(0);
     m_scriptExecutionContext = 0;
 }

Modified: branches/chromium/1364/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp (143165 => 143166)


--- branches/chromium/1364/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp	2013-02-18 08:59:05 UTC (rev 143165)
+++ branches/chromium/1364/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp	2013-02-18 09:00:56 UTC (rev 143166)
@@ -163,6 +163,7 @@
 
 RTCPeerConnection::~RTCPeerConnection()
 {
+    stop();
 }
 
 void RTCPeerConnection::createOffer(PassRefPtr<RTCSessionDescriptionCallback> successCallback, PassRefPtr<RTCErrorCallback> errorCallback, const Dictionary& mediaConstraints, ExceptionCode& ec)
@@ -565,6 +566,9 @@
 
 void RTCPeerConnection::stop()
 {
+    if (m_stopped)
+        return;
+
     m_stopped = true;
     m_iceState = IceStateClosed;
     m_readyState = ReadyStateClosed;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to