[webkit-changes] [WebKit/WebKit] ce446a: Fix UAF in MediaPlayerPrivateMediaStreamAVFObjC::p...
Chirag Shah
noreply at github.com
Mon Jul 31 11:26:55 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ce446a1cea9271f198c477ab095dfa9be68a659e
https://github.com/WebKit/WebKit/commit/ce446a1cea9271f198c477ab095dfa9be68a659e
Author: Chirag M Shah <chirag_m_shah at apple.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
A LayoutTests/fast/media/media-player-uaf-expected.txt
A LayoutTests/fast/media/media-player-uaf.html
M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.mm
Log Message:
-----------
Fix UAF in MediaPlayerPrivateMediaStreamAVFObjC::processNewVideoFrame
https://bugs.webkit.org/show_bug.cgi?id=256173
rdar://108504399
Reviewed by Jer Noble and Youenn Fablet.
This change fixes the heap UAF on MediaPlayer element by protecting the
MediaPlayer object when executing callbacks/deferred tasks on the mainThread,
so that MediaPlayerPrivateMediaStreamAVFObjC remains valid.
* Source/WebCore/html/HTMLMediaElement.cpp:
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.mm:
(WebCore::MediaPlayerPrivateMediaStreamAVFObjC::processNewVideoFrame):
(WebCore::MediaPlayerPrivateMediaStreamAVFObjC::scheduleDeferredTask):
* LayoutTests/fast/media/media-player-uaf-expected.txt: Added.
* LayoutTests/fast/media/media-player-uaf.html: Added.
Originally-landed-as: 259548.728 at safari-7615-branch (4206d483814c). rdar://108504399
Canonical link: https://commits.webkit.org/266444@main
More information about the webkit-changes
mailing list