git://git.webkit.org / WebKit-https.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c4dfcfd) | patch
Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement
authoracolwell@chromium.org <acolwell@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 6 Mar 2013 02:11:03 +0000 (02:11 +0000)
committeracolwell@chromium.org <acolwell@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 6 Mar 2013 02:11:03 +0000 (02:11 +0000)
commit4b16936df04cfc8656e280683aff7aeae211ea6f
tree5ddf748222a1b235c38f9a7ee8e38dd100111f0ctree | snapshot
parentc4dfcfd2a597f410a483ccbcb9362c1a2c94dac7commit | diff
Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement
https://bugs.webkit.org/show_bug.cgi?id=110623

Reviewed by Eric Seidel.

Source/WebCore:

Test: http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html

* html/HTMLAudioElement.h:
(HTMLAudioElement):
* html/HTMLAudioElement.idl:
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::hasPendingActivity):
* html/HTMLMediaElement.idl:

LayoutTests:

* http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt: Added.
* http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html: Added.
* http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@144859 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog diff | blob | history
LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt [new file with mode: 0644] blob
LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html [new file with mode: 0644] blob
LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html [new file with mode: 0644] blob
Source/WebCore/ChangeLog diff | blob | history
Source/WebCore/html/HTMLAudioElement.h diff | blob | history
Source/WebCore/html/HTMLAudioElement.idl diff | blob | history
Source/WebCore/html/HTMLMediaElement.cpp diff | blob | history
Source/WebCore/html/HTMLMediaElement.idl diff | blob | history
Mirror of the WebKit open source project from svn.webkit.org.