CRASH at WebCore::TrackListBase::remove
authorjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Jan 2017 01:09:20 +0000 (01:09 +0000)
committerjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Jan 2017 01:09:20 +0000 (01:09 +0000)
commit5bb9f9cae46d11abd0cdf5c1f1ab8a500400cf01
tree415a56cc625911a26a924da1ce2cc15b5cc6b041
parentbfc7b1e8d6b742a9168e0aab2a13d9620efb7555
CRASH at WebCore::TrackListBase::remove
https://bugs.webkit.org/show_bug.cgi?id=167217

Reviewed by Brent Fulgham.

Source/WebCore:

Test: media/media-source/media-source-error-crash.html

In very specific conditions, a HTMLMediaElement backed by a MediaSource can try to remove
the same track from its track list twice. If there are two SourceBuffers attached to a
HTMLMediaElement, and one has not yet been initialized, when the second fails to parse an
appended buffer after receiving an initialization segment, the HTMLMediaElement will remove
all its tracks in mediaLoadingFailed(), then MediaSource object itself will attempt remove
the same track in removeSourceBuffer().

Solving this the safest way possible: bail early from TrackListBase if asked to remove a
track which the list does not contain.

* html/track/TrackListBase.cpp:
(TrackListBase::remove):

LayoutTests:

* media/media-source/media-source-error-crash-expected.txt: Added.
* media/media-source/media-source-error-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@210945 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/media/media-source/media-source-error-crash-expected.txt [new file with mode: 0644]
LayoutTests/media/media-source/media-source-error-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/track/TrackListBase.cpp