Skip to content

Commit daa5f83

Browse files
Ian Gilbertwebkit-commit-queue
authored andcommitted
Null pointer dereference on MediaStreamAudioSourceNode destructor
https://bugs.webkit.org/show_bug.cgi?id=224573 Patch by Ian Gilbert <iang@apple.com> on 2021-04-15 Reviewed by Eric Carlson. Source/WebCore: Add null pointer check in case the capture source no longer exists. Test: webaudio/destroy-audio-source-node-with-no-track-crash.html * platform/mediastream/mac/MediaStreamTrackAudioSourceProviderCocoa.cpp: (WebCore::MediaStreamTrackAudioSourceProviderCocoa::hasNewClient): LayoutTests: Add regression test. * webaudio/destroy-audio-source-node-with-no-track-crash-expected.txt: Added. * webaudio/destroy-audio-source-node-with-no-track-crash.html: Added. Canonical link: https://commits.webkit.org/236592@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@276079 268f45cc-cd09-0410-ab3c-d52691b4dbfc
1 parent 7c7310e commit daa5f83

5 files changed

Lines changed: 49 additions & 1 deletion

File tree

LayoutTests/ChangeLog

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,15 @@
1+
2021-04-15 Ian Gilbert <iang@apple.com>
2+
3+
Null pointer dereference on MediaStreamAudioSourceNode destructor
4+
https://bugs.webkit.org/show_bug.cgi?id=224573
5+
6+
Reviewed by Eric Carlson.
7+
8+
Add regression test.
9+
10+
* webaudio/destroy-audio-source-node-with-no-track-crash-expected.txt: Added.
11+
* webaudio/destroy-audio-source-node-with-no-track-crash.html: Added.
12+
113
2021-04-15 Julian Gonzalez <julian_a_gonzalez@apple.com>
214

315
Crash in ReplaceSelectionCommand::mergeEndIfNeeded()
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
Test passes if it does not crash.
2+
3+
PASS
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
<p>Test passes if it does not crash.</p>
2+
<script>
3+
if (window.testRunner)
4+
testRunner.dumpAsText();
5+
6+
let audioContext = new AudioContext();
7+
let mediaStreamAudioDestinationNode = new MediaStreamAudioDestinationNode(audioContext);
8+
new MediaStreamAudioSourceNode(audioContext, {mediaStream: mediaStreamAudioDestinationNode.stream});
9+
10+
let track0 = mediaStreamAudioDestinationNode.stream.getAudioTracks()[0];
11+
track0.stop();
12+
mediaStreamAudioDestinationNode.stream.removeTrack(track0);
13+
track0 = undefined;
14+
15+
GCController.collect();
16+
17+
document.write("PASS");
18+
</script>

Source/WebCore/ChangeLog

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,17 @@
1+
2021-04-15 Ian Gilbert <iang@apple.com>
2+
3+
Null pointer dereference on MediaStreamAudioSourceNode destructor
4+
https://bugs.webkit.org/show_bug.cgi?id=224573
5+
6+
Reviewed by Eric Carlson.
7+
8+
Add null pointer check in case the capture source no longer exists.
9+
10+
Test: webaudio/destroy-audio-source-node-with-no-track-crash.html
11+
12+
* platform/mediastream/mac/MediaStreamTrackAudioSourceProviderCocoa.cpp:
13+
(WebCore::MediaStreamTrackAudioSourceProviderCocoa::hasNewClient):
14+
115
2021-04-15 Julian Gonzalez <julian_a_gonzalez@apple.com>
216

317
Crash in ReplaceSelectionCommand::mergeEndIfNeeded()

Source/WebCore/platform/mediastream/mac/MediaStreamTrackAudioSourceProviderCocoa.cpp

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,8 @@ void MediaStreamTrackAudioSourceProviderCocoa::hasNewClient(AudioSourceProviderC
5555

5656
m_connected = shouldBeConnected;
5757
if (!client) {
58-
m_captureSource->removeObserver(*this);
58+
if (m_captureSource)
59+
m_captureSource->removeObserver(*this);
5960
m_source->removeAudioSampleObserver(*this);
6061
return;
6162
}

0 commit comments

Comments
 (0)