CRASH in AudioDestinationNode::render()
authorjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 6 Apr 2016 21:21:47 +0000 (21:21 +0000)
committerjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 6 Apr 2016 21:21:47 +0000 (21:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=156308
<rdar://problem/25468815>

Reviewed by Eric Carlson.

AudioDestinationNode::render() will crash when passed in a zero-length frame count. Rather than get into
this bad state, ASSERT() and bail out early in this case.

Also, address the situation in AudioDestinationIOS::render which can cause this 0-frame count to occur.

* Modules/webaudio/AudioDestinationNode.cpp:
(WebCore::AudioDestinationNode::render):
* platform/audio/ios/AudioDestinationIOS.cpp:
(WebCore::AudioDestinationIOS::render):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199116 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/Modules/webaudio/AudioDestinationNode.cpp
Source/WebCore/platform/audio/ios/AudioDestinationIOS.cpp

index 85a3a4c..f18d112 100644 (file)
@@ -1,3 +1,22 @@
+2016-04-06  Jer Noble  <jer.noble@apple.com>
+
+        CRASH in AudioDestinationNode::render()
+        https://bugs.webkit.org/show_bug.cgi?id=156308
+        <rdar://problem/25468815>
+
+        Reviewed by Eric Carlson.
+
+        
+        AudioDestinationNode::render() will crash when passed in a zero-length frame count. Rather than get into
+        this bad state, ASSERT() and bail out early in this case.
+
+        Also, address the situation in AudioDestinationIOS::render which can cause this 0-frame count to occur.
+
+        * Modules/webaudio/AudioDestinationNode.cpp:
+        (WebCore::AudioDestinationNode::render):
+        * platform/audio/ios/AudioDestinationIOS.cpp:
+        (WebCore::AudioDestinationIOS::render):
+
 2016-04-06  Per Arne Vollan  <peavo@outlook.com>
 
         [WinCairo][MediaFoundation] Videos are always autoplaying.
index e816319..5112818 100644 (file)
@@ -68,6 +68,13 @@ void AudioDestinationNode::render(AudioBus*, AudioBus* destinationBus, size_t nu
         return;
     }
 
+    ASSERT(numberOfFrames);
+    if (!numberOfFrames) {
+        destinationBus->zero();
+        setIsSilent(true);
+        return;
+    }
+
     // Let the context take care of any business at the start of each render quantum.
     context().handlePreRenderTasks();
 
index f6b0cf6..ebdbf5b 100644 (file)
@@ -232,6 +232,8 @@ OSStatus AudioDestinationIOS::render(UInt32 numberOfFrames, AudioBufferList* ioD
         UInt32 framesThisTime = std::min<UInt32>(kRenderBufferSize, framesRemaining);
         assignAudioBuffersToBus(buffers, *m_renderBus, numberOfBuffers, numberOfFrames, frameOffset, framesThisTime);
 
+        if (!framesThisTime)
+            break;
         if (framesThisTime < kRenderBufferSize) {
             m_callback.render(0, m_spareBus.get(), kRenderBufferSize);
             m_renderBus->copyFromRange(*m_spareBus, 0, framesThisTime);