CRASH in ImageDecoderAVFObjC::sampleAtIndex()
authorjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 17 May 2018 21:02:23 +0000 (21:02 +0000)
committerjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 17 May 2018 21:02:23 +0000 (21:02 +0000)
https://bugs.webkit.org/show_bug.cgi?id=185734
<rdar://problem/40295094>

Reviewed by Eric Carlson.

Source/WebCore:

Test: fast/images/animated-image-mp4-crash.html

Test the correct size value before iterating over the SampleMap in presentationOrder()

* Modules/mediasource/SampleMap.h:
(WebCore::PresentationOrderSampleMap::size const):
* platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm:
(WebCore::ImageDecoderAVFObjC::sampleAtIndex const):

LayoutTests:

* fast/images/animated-image-mp4-crash-expected.txt: Added.
* fast/images/animated-image-mp4-crash.html: Added.
* fast/images/resources/two-samples-with-same-pts.mp4: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231920 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/images/animated-image-mp4-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/images/animated-image-mp4-crash.html [new file with mode: 0644]
LayoutTests/fast/images/resources/two-samples-with-same-pts.mp4 [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/Modules/mediasource/SampleMap.h
Source/WebCore/platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm

index cde2a0d..16257f2 100644 (file)
@@ -1,3 +1,15 @@
+2018-05-17  Jer Noble  <jer.noble@apple.com>
+
+        CRASH in ImageDecoderAVFObjC::sampleAtIndex()
+        https://bugs.webkit.org/show_bug.cgi?id=185734
+        <rdar://problem/40295094>
+
+        Reviewed by Eric Carlson.
+
+        * fast/images/animated-image-mp4-crash-expected.txt: Added.
+        * fast/images/animated-image-mp4-crash.html: Added.
+        * fast/images/resources/two-samples-with-same-pts.mp4: Added.
+
 2018-05-17  Youenn Fablet  <youenn@apple.com>
 
         REGRESSION (r229831?): Layout Test http/tests/appcache/interrupted-update.html is a flaky failure
diff --git a/LayoutTests/fast/images/animated-image-mp4-crash-expected.txt b/LayoutTests/fast/images/animated-image-mp4-crash-expected.txt
new file mode 100644 (file)
index 0000000..fada9c5
--- /dev/null
@@ -0,0 +1,9 @@
+Test that a malformed mp4 media file loaded as an image should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/images/animated-image-mp4-crash.html b/LayoutTests/fast/images/animated-image-mp4-crash.html
new file mode 100644 (file)
index 0000000..cb699db
--- /dev/null
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<body>
+    <img>
+    <script src="../../resources/js-test-pre.js"></script>
+    <script>
+        window.jsTestIsAsync = true;
+
+        function loadImage(src) {
+            return new Promise(resolve => {
+                const image = document.querySelector('img');
+                image.src = src;
+                return image.decode().then(() => { resolve(image); });
+            });
+        }
+
+        function endTest() {
+            finishJSTest();
+            if (window.testRunner)
+                testRunner.notifyDone();
+        }
+
+        description('Test that a malformed mp4 media file loaded as an image should not crash.')
+
+        loadImage("resources/two-samples-with-same-pts.mp4").then(image => {
+            setTimeout(endTest, 100);
+        });
+    </script>
+    <script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/images/resources/two-samples-with-same-pts.mp4 b/LayoutTests/fast/images/resources/two-samples-with-same-pts.mp4
new file mode 100644 (file)
index 0000000..1715875
Binary files /dev/null and b/LayoutTests/fast/images/resources/two-samples-with-same-pts.mp4 differ
index 41d9b53..1cbeca0 100644 (file)
@@ -1,3 +1,20 @@
+2018-05-17  Jer Noble  <jer.noble@apple.com>
+
+        CRASH in ImageDecoderAVFObjC::sampleAtIndex()
+        https://bugs.webkit.org/show_bug.cgi?id=185734
+        <rdar://problem/40295094>
+
+        Reviewed by Eric Carlson.
+
+        Test: fast/images/animated-image-mp4-crash.html
+
+        Test the correct size value before iterating over the SampleMap in presentationOrder()
+
+        * Modules/mediasource/SampleMap.h:
+        (WebCore::PresentationOrderSampleMap::size const):
+        * platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm:
+        (WebCore::ImageDecoderAVFObjC::sampleAtIndex const):
+
 2018-05-17  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         [Extra zoom mode] Disabled adaptations are not reset upon mainframe navigation
index 14e872a..f27faad 100644 (file)
@@ -54,6 +54,8 @@ public:
     reverse_iterator rend() { return m_samples.rend(); }
     const_reverse_iterator rend() const { return m_samples.rend(); }
 
+    size_t size() const { return m_samples.size(); }
+
     WEBCORE_EXPORT iterator findSampleWithPresentationTime(const MediaTime&);
     WEBCORE_EXPORT iterator findSampleContainingPresentationTime(const MediaTime&);
     WEBCORE_EXPORT iterator findSampleContainingOrAfterPresentationTime(const MediaTime&);
index 6e53a19..6368cb4 100644 (file)
@@ -670,7 +670,7 @@ void ImageDecoderAVFObjC::clearFrameBufferCache(size_t index)
 
 const ImageDecoderAVFObjCSample* ImageDecoderAVFObjC::sampleAtIndex(size_t index) const
 {
-    if (index >= m_sampleData.size())
+    if (index >= m_sampleData.presentationOrder().size())
         return nullptr;
 
     // FIXME: std::map is not random-accessible; this can get expensive if callers repeatedly call
@@ -679,7 +679,7 @@ const ImageDecoderAVFObjCSample* ImageDecoderAVFObjC::sampleAtIndex(size_t index
     auto iter = m_sampleData.presentationOrder().begin();
     for (size_t i = 0; i != index; ++i)
         ++iter;
-    
+
     return toSample(iter);
 }