[Webkit-unassigned] [Bug 171614] New: Use after free in ImageFrameCache::cacheAsyncFrameNativeImageAtIndex()
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 3 13:16:05 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171614
Bug ID: 171614
Summary: Use after free in
ImageFrameCache::cacheAsyncFrameNativeImageAtIndex()
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Images
Assignee: webkit-unassigned at lists.webkit.org
Reporter: sabouhallawa at apple.com
This is the scenario of the crash:
1. The BitmapImage::draw() in the main thread requests decoding an image frame through ImageFrameCache::requestFrameAsyncDecodingAtIndex()
2. The decoding thread in ImageFrameCache::startAsyncDecodingQueue() starts decoding the image frame.
3. The main thread deletes the BitmapImage. This means the ImageFrameCache will be dereferenced but will not deleted since the decoding thread has a protecting copy.
4. The decoding thread still can proceed since all the data members are captured including the ImageFrameCache.
5. The decoding thread pushes a request on the main thread to cache the decoded frame.
6. The decoding thread terminates since ImageFrameCache::stopAsyncDecodingQueue() was called when the BitmapImage was deleted. ImageFrameCache is dereferenced the second time. And in this case, it is deleted.
7. The call on the main thread to ImageFrameCache::cacheFrameNativeImageAtIndex() is now acting on a deleted objet.
The fix is to protect this and protectedDecoder as well by making callOnMainThread() in the decoding thread capture them. We do the same thing for protectedQueue.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170503/5b0544d4/attachment.html>
More information about the webkit-unassigned
mailing list