Lifetime of HTMLMediaElement is not properly handled in asynchronous actions
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 2 Dec 2018 01:52:59 +0000 (01:52 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 2 Dec 2018 01:52:59 +0000 (01:52 +0000)
https://bugs.webkit.org/show_bug.cgi?id=192087
<rdar://problem/45975230>

Reviewed by Dean Jackson.

The HTMLMediaElement performs operations that allow arbitrary JavaScript to run. We need to make
sure the active media element is protected until those calls complete.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::didFinishInsertingNode):
(WebCore::HTMLMediaElement::exitFullscreen):
(WebCore::HTMLMediaElement::markCaptionAndSubtitleTracksAsUnconfigured):
(WebCore::HTMLMediaElement::scheduleConfigureTextTracks):
(WebCore::HTMLMediaElement::scheduleMediaEngineWasUpdated):
(WebCore::HTMLMediaElement::scheduleUpdatePlayState):
(WebCore::HTMLMediaElement::scheduleUpdateMediaState):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238788 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/html/HTMLMediaElement.cpp

index 3293bc6..dcf602f 100644 (file)
@@ -1,3 +1,23 @@
+2018-12-01  Brent Fulgham  <bfulgham@apple.com>
+
+        Lifetime of HTMLMediaElement is not properly handled in asynchronous actions
+        https://bugs.webkit.org/show_bug.cgi?id=192087
+        <rdar://problem/45975230>
+
+        Reviewed by Dean Jackson.
+
+        The HTMLMediaElement performs operations that allow arbitrary JavaScript to run. We need to make
+        sure the active media element is protected until those calls complete.
+
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::didFinishInsertingNode):
+        (WebCore::HTMLMediaElement::exitFullscreen):
+        (WebCore::HTMLMediaElement::markCaptionAndSubtitleTracksAsUnconfigured):
+        (WebCore::HTMLMediaElement::scheduleConfigureTextTracks):
+        (WebCore::HTMLMediaElement::scheduleMediaEngineWasUpdated):
+        (WebCore::HTMLMediaElement::scheduleUpdatePlayState):
+        (WebCore::HTMLMediaElement::scheduleUpdateMediaState):
+
 2018-12-01  Chris Dumez  <cdumez@apple.com>
 
         [PSON] process-swapping may occur even though opener has handle to openee
index 0d527f6..0dcc889 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -917,6 +917,8 @@ Node::InsertedIntoAncestorResult HTMLMediaElement::insertedIntoAncestor(Insertio
 
 void HTMLMediaElement::didFinishInsertingNode()
 {
+    Ref<HTMLMediaElement> protectedThis(*this); // prepareForLoad may result in a 'beforeload' event, which can make arbitrary DOM mutations.
+
     if (m_inActiveDocument && m_networkState == NETWORK_EMPTY && !attributeWithoutSynchronization(srcAttr).isEmpty())
         prepareForLoad();
 
@@ -4510,6 +4512,7 @@ void HTMLMediaElement::scheduleConfigureTextTracks()
     m_configureTextTracksTask.scheduleTask([this, logSiteIdentifier] {
         UNUSED_PARAM(logSiteIdentifier);
         ALWAYS_LOG(logSiteIdentifier, "- lambda(), task fired");
+        Ref<HTMLMediaElement> protectedThis(*this); // configureTextTracks calls methods that can trigger arbitrary DOM mutations.
         configureTextTracks();
     });
 }
@@ -5063,6 +5066,7 @@ void HTMLMediaElement::scheduleMediaEngineWasUpdated()
     m_mediaEngineUpdatedTask.scheduleTask([this, logSiteIdentifier] {
         UNUSED_PARAM(logSiteIdentifier);
         ALWAYS_LOG(logSiteIdentifier, "- lambda(), task fired");
+        Ref<HTMLMediaElement> protectedThis(*this); // mediaEngineWasUpdated calls methods that can trigger arbitrary DOM mutations.
         mediaEngineWasUpdated();
     });
 }
@@ -5368,6 +5372,7 @@ void HTMLMediaElement::scheduleUpdatePlayState()
     m_updatePlayStateTask.scheduleTask([this, logSiteIdentifier] {
         UNUSED_PARAM(logSiteIdentifier);
         ALWAYS_LOG(logSiteIdentifier, "- lambda(), task fired");
+        Ref<HTMLMediaElement> protectedThis(*this); // updatePlayState calls methods that can trigger arbitrary DOM mutations.
         updatePlayState();
     });
 }
@@ -6047,6 +6052,7 @@ void HTMLMediaElement::exitFullscreen()
     VideoFullscreenMode oldVideoFullscreenMode = m_videoFullscreenMode;
     fullscreenModeChanged(VideoFullscreenModeNone);
 #if ENABLE(MEDIA_CONTROLS_SCRIPT)
+    Ref<HTMLMediaElement> protectedThis(*this); // updateMediaControlsAfterPresentationModeChange calls methods that can trigger arbitrary DOM mutations.
     updateMediaControlsAfterPresentationModeChange();
 #endif
     if (hasMediaControls())
@@ -6608,8 +6614,10 @@ void HTMLMediaElement::markCaptionAndSubtitleTracksAsUnconfigured(ReconfigureMod
 
     m_processingPreferenceChange = true;
     m_configureTextTracksTask.cancelTask();
-    if (mode == Immediately)
+    if (mode == Immediately) {
+        Ref<HTMLMediaElement> protectedThis(*this); // configureTextTracks calls methods that can trigger arbitrary DOM mutations.
         configureTextTracks();
+    }
     else
         scheduleConfigureTextTracks();
 }
@@ -7681,6 +7689,7 @@ void HTMLMediaElement::scheduleUpdateMediaState()
     m_updateMediaStateTask.scheduleTask([this, logSiteIdentifier] {
         UNUSED_PARAM(logSiteIdentifier);
         ALWAYS_LOG(logSiteIdentifier, "- lambda(), task fired");
+        Ref<HTMLMediaElement> protectedThis(*this); // updateMediaState calls methods that can trigger arbitrary DOM mutations.
         updateMediaState();
     });
 }