WebKit Bugzilla
Attachment 357836 Details for
Bug 192941
: REGRESSION (r239419): heap-use-after-free in AudioSourceProviderAVFObjC::finalizeCallback()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-192941-20181220111821.patch (text/plain), 1.81 KB, created by
Jer Noble
on 2018-12-20 11:18:22 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Jer Noble
Created:
2018-12-20 11:18:22 PST
Size:
1.81 KB
patch
obsolete
>Subversion Revision: 238907 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 29c3216203fb1da98357b4ab161700f9c7a19b60..62d39ff12e3280008c441615dc0ad67eaf593d0a 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,16 @@ >+2018-12-20 Jer Noble <jer.noble@apple.com> >+ >+ REGRESSION (r239419): heap-use-after-free in AudioSourceProviderAVFObjC::finalizeCallback() >+ https://bugs.webkit.org/show_bug.cgi?id=192941 >+ <rdar://problem/46874096> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Don't delete the locked lock before unlocking the lock. >+ >+ * platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm: >+ (WebCore::AudioSourceProviderAVFObjC::finalizeCallback): >+ > 2018-12-19 Jer Noble <jer.noble@apple.com> > > Leak of MTAudioProcessingTap (304 bytes) in com.apple.WebKit.WebContent running WebKit layout tests >diff --git a/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm b/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm >index 481ea368e9803641e9b557987db95cbf4c490c80..15b6b93c07d70608df60d6070c1db5e724977e77 100644 >--- a/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm >+++ b/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm >@@ -248,10 +248,11 @@ void AudioSourceProviderAVFObjC::finalizeCallback(MTAudioProcessingTapRef tap) > ASSERT(tap); > TapStorage* tapStorage = static_cast<TapStorage*>(MTAudioProcessingTapGetStorage(tap)); > >- std::lock_guard<Lock> lock(tapStorage->mutex); >- >- if (tapStorage->_this) >- tapStorage->_this->finalize(); >+ { >+ std::lock_guard<Lock> lock(tapStorage->mutex); >+ if (tapStorage->_this) >+ tapStorage->_this->finalize(); >+ } > delete tapStorage; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357836">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192941
: 357836