<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[236812] branches/safari-606.2.104.0-branch/Source/WebCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/236812">236812</a></dd>
<dt>Author</dt> <dd>kocsen_chung@apple.com</dd>
<dt>Date</dt> <dd>2018-10-03 14:09:42 -0700 (Wed, 03 Oct 2018)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/236806">r236806</a>. rdar://problem/44855484

    CRASH in CVPixelBufferGetBytePointerCallback()
    https://bugs.webkit.org/show_bug.cgi?id=190092

    Reviewed by Eric Carlson.

    Speculative fix for crash that occurs when callers of CVPixelBufferGetBytePointerCallback() attempt
    to read the last byte of a CVPixelBuffer (as a pre-flight check) and crash due to a memory access
    error. It's speculated that mismatching CVPixelBufferLockBytePointer / CVPixelBufferUnlockBytePointer
    calls could result in an incorrect state inside the CVPixelBuffer. Add log count checks, locking, and
    release logging to try to pinpoint if mismatch lock counts are occurring in this code path.

    * platform/graphics/cv/PixelBufferConformerCV.cpp:
    (WebCore::CVPixelBufferGetBytePointerCallback):
    (WebCore::CVPixelBufferReleaseBytePointerCallback):
    (WebCore::CVPixelBufferReleaseInfoCallback):
    (WebCore::PixelBufferConformerCV::createImageFromPixelBuffer):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236806 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari60621040branchSourceWebCoreChangeLog">branches/safari-606.2.104.0-branch/Source/WebCore/ChangeLog</a></li>
<li><a href="#branchessafari60621040branchSourceWebCoreplatformgraphicscvPixelBufferConformerCVcpp">branches/safari-606.2.104.0-branch/Source/WebCore/platform/graphics/cv/PixelBufferConformerCV.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari60621040branchSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-606.2.104.0-branch/Source/WebCore/ChangeLog (236811 => 236812)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606.2.104.0-branch/Source/WebCore/ChangeLog      2018-10-03 21:08:53 UTC (rev 236811)
+++ branches/safari-606.2.104.0-branch/Source/WebCore/ChangeLog 2018-10-03 21:09:42 UTC (rev 236812)
</span><span class="lines">@@ -1,3 +1,46 @@
</span><ins>+2018-10-03  Kocsen Chung  <kocsen_chung@apple.com>
+
+        Cherry-pick r236806. rdar://problem/44855484
+
+    CRASH in CVPixelBufferGetBytePointerCallback()
+    https://bugs.webkit.org/show_bug.cgi?id=190092
+    
+    Reviewed by Eric Carlson.
+    
+    Speculative fix for crash that occurs when callers of CVPixelBufferGetBytePointerCallback() attempt
+    to read the last byte of a CVPixelBuffer (as a pre-flight check) and crash due to a memory access
+    error. It's speculated that mismatching CVPixelBufferLockBytePointer / CVPixelBufferUnlockBytePointer
+    calls could result in an incorrect state inside the CVPixelBuffer. Add log count checks, locking, and
+    release logging to try to pinpoint if mismatch lock counts are occurring in this code path.
+    
+    * platform/graphics/cv/PixelBufferConformerCV.cpp:
+    (WebCore::CVPixelBufferGetBytePointerCallback):
+    (WebCore::CVPixelBufferReleaseBytePointerCallback):
+    (WebCore::CVPixelBufferReleaseInfoCallback):
+    (WebCore::PixelBufferConformerCV::createImageFromPixelBuffer):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236806 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-10-03  Jer Noble  <jer.noble@apple.com>
+
+            CRASH in CVPixelBufferGetBytePointerCallback()
+            https://bugs.webkit.org/show_bug.cgi?id=190092
+
+            Reviewed by Eric Carlson.
+
+            Speculative fix for crash that occurs when callers of CVPixelBufferGetBytePointerCallback() attempt
+            to read the last byte of a CVPixelBuffer (as a pre-flight check) and crash due to a memory access
+            error. It's speculated that mismatching CVPixelBufferLockBytePointer / CVPixelBufferUnlockBytePointer
+            calls could result in an incorrect state inside the CVPixelBuffer. Add log count checks, locking, and
+            release logging to try to pinpoint if mismatch lock counts are occurring in this code path.
+
+            * platform/graphics/cv/PixelBufferConformerCV.cpp:
+            (WebCore::CVPixelBufferGetBytePointerCallback):
+            (WebCore::CVPixelBufferReleaseBytePointerCallback):
+            (WebCore::CVPixelBufferReleaseInfoCallback):
+            (WebCore::PixelBufferConformerCV::createImageFromPixelBuffer):
+
</ins><span class="cx"> 2018-09-28  Babak Shafiei  <bshafiei@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Cherry-pick r236615. rdar://problem/44883290
</span></span></pre></div>
<a id="branchessafari60621040branchSourceWebCoreplatformgraphicscvPixelBufferConformerCVcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-606.2.104.0-branch/Source/WebCore/platform/graphics/cv/PixelBufferConformerCV.cpp (236811 => 236812)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-606.2.104.0-branch/Source/WebCore/platform/graphics/cv/PixelBufferConformerCV.cpp        2018-10-03 21:08:53 UTC (rev 236811)
+++ branches/safari-606.2.104.0-branch/Source/WebCore/platform/graphics/cv/PixelBufferConformerCV.cpp   2018-10-03 21:09:42 UTC (rev 236812)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #if HAVE(CORE_VIDEO)
</span><span class="cx"> 
</span><span class="cx"> #include "GraphicsContextCG.h"
</span><ins>+#include "Logging.h"
</ins><span class="cx"> #include <wtf/SoftLinking.h>
</span><span class="cx"> 
</span><span class="cx"> #include "CoreVideoSoftLink.h"
</span><span class="lines">@@ -55,23 +56,87 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-static const void* CVPixelBufferGetBytePointerCallback(void* info)
</del><ins>+struct CVPixelBufferInfo {
+    RetainPtr<CVPixelBufferRef> pixelBuffer;
+    int lockCount { 0 };
+};
+
+static const void* CVPixelBufferGetBytePointerCallback(void* refcon)
</ins><span class="cx"> {
</span><del>-    CVPixelBufferRef pixelBuffer = static_cast<CVPixelBufferRef>(info);
-    CVPixelBufferLockBaseAddress(pixelBuffer, kCVPixelBufferLock_ReadOnly);
-    return CVPixelBufferGetBaseAddress(pixelBuffer);
</del><ins>+    ASSERT(refcon);
+    if (!refcon) {
+        RELEASE_LOG_ERROR(Media, "CVPixelBufferGetBytePointerCallback() called with NULL refcon");
+        RELEASE_LOG_STACKTRACE(Media);
+        return nullptr;
+    }
+    auto info = static_cast<CVPixelBufferInfo*>(refcon);
+
+    CVReturn result = CVPixelBufferLockBaseAddress(info->pixelBuffer.get(), kCVPixelBufferLock_ReadOnly);
+
+    ASSERT(result == kCVReturnSuccess);
+    if (result != kCVReturnSuccess) {
+        RELEASE_LOG_ERROR(Media, "CVPixelBufferLockBaseAddress() returned error code %d", result);
+        RELEASE_LOG_STACKTRACE(Media);
+        return nullptr;
+    }
+
+    ++info->lockCount;
+    void* address = CVPixelBufferGetBaseAddress(info->pixelBuffer.get());
+    RELEASE_LOG_INFO(Media, "CVPixelBufferGetBytePointerCallback() returning bytePointer: %p, size: %zu", address, CVPixelBufferGetDataSize(info->pixelBuffer.get()));
+    return address;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-static void CVPixelBufferReleaseBytePointerCallback(void* info, const void*)
</del><ins>+static void CVPixelBufferReleaseBytePointerCallback(void* refcon, const void*)
</ins><span class="cx"> {
</span><del>-    CVPixelBufferRef pixelBuffer = static_cast<CVPixelBufferRef>(info);
-    CVPixelBufferUnlockBaseAddress(pixelBuffer, kCVPixelBufferLock_ReadOnly);
</del><ins>+    ASSERT(refcon);
+    if (!refcon) {
+        RELEASE_LOG_ERROR(Media, "CVPixelBufferReleaseBytePointerCallback() called with NULL refcon");
+        RELEASE_LOG_STACKTRACE(Media);
+        return;
+    }
+    auto info = static_cast<CVPixelBufferInfo*>(refcon);
+
+    CVReturn result = CVPixelBufferUnlockBaseAddress(info->pixelBuffer.get(), kCVPixelBufferLock_ReadOnly);
+    ASSERT(result == kCVReturnSuccess);
+    if (result != kCVReturnSuccess) {
+        RELEASE_LOG_ERROR(Media, "CVPixelBufferLockBaseAddress() returned error code %d", result);
+        RELEASE_LOG_STACKTRACE(Media);
+        return;
+    }
+
+    ASSERT(info->lockCount);
+    if (!info->lockCount) {
+        RELEASE_LOG_ERROR(Media, "CVPixelBufferReleaseBytePointerCallback() called without matching CVPixelBufferGetBytePointerCallback()");
+        RELEASE_LOG_STACKTRACE(Media);
+    }
+    --info->lockCount;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-static void CVPixelBufferReleaseInfoCallback(void* info)
</del><ins>+static void CVPixelBufferReleaseInfoCallback(void* refcon)
</ins><span class="cx"> {
</span><del>-    CVPixelBufferRef pixelBuffer = static_cast<CVPixelBufferRef>(info);
-    CFRelease(pixelBuffer);
</del><ins>+    ASSERT(refcon);
+    if (!refcon) {
+        RELEASE_LOG_ERROR(Media, "CVPixelBufferReleaseInfoCallback() called with NULL refcon");
+        RELEASE_LOG_STACKTRACE(Media);
+        return;
+    }
+    auto info = static_cast<CVPixelBufferInfo*>(refcon);
+
+    ASSERT(!info->lockCount);
+    if (info->lockCount) {
+        RELEASE_LOG_ERROR(Media, "CVPixelBufferReleaseInfoCallback() called with a non-zero lockCount: %d", info->lockCount);
+        RELEASE_LOG_STACKTRACE(Media);
+
+        CVReturn result = CVPixelBufferUnlockBaseAddress(info->pixelBuffer.get(), kCVPixelBufferLock_ReadOnly);
+        ASSERT(result == kCVReturnSuccess);
+        if (result != kCVReturnSuccess) {
+            RELEASE_LOG_ERROR(Media, "CVPixelBufferLockBaseAddress() returned error code %d", result);
+            RELEASE_LOG_STACKTRACE(Media);
+        }
+    }
+
+    info->pixelBuffer = nullptr;
+    delete info;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> RetainPtr<CVPixelBufferRef> PixelBufferConformerCV::convert(CVPixelBufferRef rawBuffer)
</span><span class="lines">@@ -112,9 +177,12 @@
</span><span class="cx">     size_t bytesPerRow = CVPixelBufferGetBytesPerRow(buffer.get());
</span><span class="cx">     size_t byteLength = CVPixelBufferGetDataSize(buffer.get());
</span><span class="cx"> 
</span><del>-    CFRetain(buffer.get()); // Balanced by CVPixelBufferReleaseInfoCallback in providerCallbacks.
</del><ins>+    CVPixelBufferInfo* info = new CVPixelBufferInfo();
+    info->pixelBuffer = WTFMove(buffer);
+    info->lockCount = 0;
+
</ins><span class="cx">     CGDataProviderDirectCallbacks providerCallbacks = { 0, CVPixelBufferGetBytePointerCallback, CVPixelBufferReleaseBytePointerCallback, 0, CVPixelBufferReleaseInfoCallback };
</span><del>-    RetainPtr<CGDataProviderRef> provider = adoptCF(CGDataProviderCreateDirect(buffer.get(), byteLength, &providerCallbacks));
</del><ins>+    RetainPtr<CGDataProviderRef> provider = adoptCF(CGDataProviderCreateDirect(info, byteLength, &providerCallbacks));
</ins><span class="cx"> 
</span><span class="cx">     return adoptCF(CGImageCreate(width, height, 8, 32, bytesPerRow, sRGBColorSpaceRef(), bitmapInfo, provider.get(), nullptr, false, kCGRenderingIntentDefault));
</span><span class="cx"> }
</span></span></pre>
</div>
</div>

</body>
</html>