Use-after-free in media player handling
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Nov 2012 21:00:23 +0000 (21:00 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Nov 2012 21:00:23 +0000 (21:00 +0000)
commitadf34d1b77535b57f890ee4050bd96a7337e2810
tree601c084d83ee587159ab9447e08f4791733d64b3
parentb41ce4026395611afa59e1c16e977d2046c68400
Use-after-free in media player handling
https://bugs.webkit.org/show_bug.cgi?id=103426

Patch by Aaron Colwell <acolwell@chromium.org> on 2012-11-27
Reviewed by Eric Carlson.

Source/WebCore:

Fixed use-after-free bugs caused by the MediaSource not being closed before the HTMLMediaElement or the MediaPlayer
is destroyed. Closing the MediaSource causes it to clear its reference to the MediaPlayer which prevents
the use-after-free problems from happening.

Test: http/tests/media/media-source/video-media-source-closed-on-htmlmediaelement-destruction.html

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement):
(WebCore::HTMLMediaElement::clearMediaPlayer):

LayoutTests:

- Added a test to verify that the MediaSource gets closed when the HTMLMediaElement is destroyed
  after it is removed from the DOM.
- Updated video-media-source-state-changes-expected.txt to reflect a slight change in event dispatch ordering.

* http/tests/media/media-source/video-media-source-closed-on-htmlmediaelement-destruction-expected.txt: Added.
* http/tests/media/media-source/video-media-source-closed-on-htmlmediaelement-destruction.html: Added.
* http/tests/media/media-source/video-media-source-state-changes-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@135906 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/media/media-source/video-media-source-closed-on-htmlmediaelement-destruction-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/media/media-source/video-media-source-closed-on-htmlmediaelement-destruction.html [new file with mode: 0644]
LayoutTests/http/tests/media/media-source/video-media-source-state-changes-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLMediaElement.cpp