Potential use-after-free with an event fired at a HTMLMediaElement which is currently...
authoreric.carlson@apple.com <eric.carlson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Jun 2013 17:18:59 +0000 (17:18 +0000)
committereric.carlson@apple.com <eric.carlson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Jun 2013 17:18:59 +0000 (17:18 +0000)
commit43d468e534dd9b1a445ea4d463cabdd674278fab
treeab07bb88866923f3252a512536ad7d7ae379b28d
parentac90cfd9541719c5450aef59aa2bb2aebd6c81f7
Potential use-after-free with an event fired at a HTMLMediaElement which is currently being deleted
https://bugs.webkit.org/show_bug.cgi?id=117466

Reviewed by Oliver Hunt.

Merge https://chromium.googlesource.com/chromium/blink/+/f4200a0093b3d9376f703961615359ec7fb712b4

If an event is created using as target an HTMLMediaElement which is
currently being deleted it becomes a heap-use-after free situation.

The GenericEventQueue instance is already owned by the HTMLMediaElement,
and there already is an underlying mechanism to set the target of the
event to NULL, if their target is owner of the queue.

In order to avoid creating this reference in the first place, we enqueue
the event with a NULL target to defer the refcount increment until the
timer for dispatching the event happens (which won't happen at all if
garbage collection is already destroying the objects).

Source/WebCore:

Test: media/track/media-element-enqueue-event-crash.html

* dom/GenericEventQueue.cpp:
(WebCore::GenericEventQueue::enqueueEvent): Don't ASSERT if the event has no target.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement): Close the event queue so it won't try to
    dispatch any pending events.
(WebCore::HTMLMediaElement::scheduleEvent): Don't set the event target, it will happen just
    prior to event dispatch.
(WebCore::HTMLMediaElement::stop): Close the event queue.

LayoutTests:

* media/track/media-element-enqueue-event-crash-expected.txt: Added.
* media/track/media-element-enqueue-event-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@151600 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/media/track/media-element-enqueue-event-crash-expected.txt [new file with mode: 0644]
LayoutTests/media/track/media-element-enqueue-event-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/GenericEventQueue.cpp
Source/WebCore/html/HTMLMediaElement.cpp