[webkit-changes] [199252] trunk/Source/WebCore

Fri, 08 Apr 2016 15:42:13 -0700

Title: [199252] trunk/Source/WebCore
Revision
199252
Author
jer.no...@apple.com
Date
2016-04-08 15:41:46 -0700 (Fri, 08 Apr 2016)

Log Message

CRASH in AudioDestinationNode::render()
https://bugs.webkit.org/show_bug.cgi?id=156308

Reviewed by Eric Carlson.

Yet another math error in AudioDestinationIOS::render(). It is possible for the difference between
m_startSpareFrame and m_endSpareFrame to be greater than the numberOfFrames to be rendered. Protect
against this case by taking the min() of those two values and only advancing m_startSpareFrame by
that amount.  This guarantees that framesThisTime will never underflow, and that data will not be
written past the end of the ioData parameter.

* platform/audio/ios/AudioDestinationIOS.cpp:
(WebCore::AudioDestinationIOS::render):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (199251 => 199252)


--- trunk/Source/WebCore/ChangeLog	2016-04-08 22:37:34 UTC (rev 199251)
+++ trunk/Source/WebCore/ChangeLog	2016-04-08 22:41:46 UTC (rev 199252)
@@ -1,3 +1,19 @@
+2016-04-08  Jer Noble  <jer.no...@apple.com>
+
+        CRASH in AudioDestinationNode::render()
+        https://bugs.webkit.org/show_bug.cgi?id=156308
+
+        Reviewed by Eric Carlson.
+
+        Yet another math error in AudioDestinationIOS::render(). It is possible for the difference between
+        m_startSpareFrame and m_endSpareFrame to be greater than the numberOfFrames to be rendered. Protect
+        against this case by taking the min() of those two values and only advancing m_startSpareFrame by
+        that amount.  This guarantees that framesThisTime will never underflow, and that data will not be
+        written past the end of the ioData parameter.
+
+        * platform/audio/ios/AudioDestinationIOS.cpp:
+        (WebCore::AudioDestinationIOS::render):
+
 2016-04-08  Brady Eidson  <beid...@apple.com>
 
         Modern IDB: Use more IDBValue and IDBGetResult in IDBBackingStore.

Modified: trunk/Source/WebCore/platform/audio/ios/AudioDestinationIOS.cpp (199251 => 199252)


--- trunk/Source/WebCore/platform/audio/ios/AudioDestinationIOS.cpp	2016-04-08 22:37:34 UTC (rev 199251)
+++ trunk/Source/WebCore/platform/audio/ios/AudioDestinationIOS.cpp	2016-04-08 22:41:46 UTC (rev 199252)
@@ -218,15 +218,14 @@
     UInt32 framesRemaining = numberOfFrames;
     UInt32 frameOffset = 0;
     while (framesRemaining > 0) {
-        if (m_startSpareFrame && m_endSpareFrame) {
+        if (m_startSpareFrame < m_endSpareFrame) {
             ASSERT(m_startSpareFrame < m_endSpareFrame);
-            UInt32 framesThisTime = m_endSpareFrame - m_startSpareFrame;
+            UInt32 framesThisTime = std::min(m_endSpareFrame - m_startSpareFrame, numberOfFrames);
             assignAudioBuffersToBus(buffers, *m_renderBus, numberOfBuffers, numberOfFrames, frameOffset, framesThisTime);
             m_renderBus->copyFromRange(*m_spareBus, m_startSpareFrame, m_endSpareFrame);
             frameOffset += framesThisTime;
             framesRemaining -= framesThisTime;
-            m_startSpareFrame = 0;
-            m_endSpareFrame = 0;
+            m_startSpareFrame += framesThisTime;
         }
 
         UInt32 framesThisTime = std::min<UInt32>(kRenderBufferSize, framesRemaining);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to