From d56afe6836db40cdea22eaa6b47c56a6197a8bab Mon Sep 17 00:00:00 2001
From: Chris Dumez <cdumez@apple.com>
Date: Fri, 7 May 2021 16:42:35 +0000
Subject: [PATCH] AudioWorkletProcessor which does not extend base class
 crashes Safari https://bugs.webkit.org/show_bug.cgi?id=225449
 <rdar://problem/77624792>

Reviewed by Sam Weinig.

Update AudioWorkletGlobalScope::createProcessor() to validate the type of the processor
after constructing it.

* Modules/webaudio/AudioWorkletGlobalScope.cpp:
(WebCore::AudioWorkletGlobalScope::createProcessor):


Canonical link: https://commits.webkit.org/237463@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277177 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 Source/WebCore/ChangeLog                           | 14 ++++++++++++++
 .../Modules/webaudio/AudioWorkletGlobalScope.cpp   |  9 ++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 37ad10bfdb1c..ffc91fa7e51e 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2021-05-07  Chris Dumez  <cdumez@apple.com>
+
+        AudioWorkletProcessor which does not extend base class crashes Safari
+        https://bugs.webkit.org/show_bug.cgi?id=225449
+        <rdar://problem/77624792>
+
+        Reviewed by Sam Weinig.
+
+        Update AudioWorkletGlobalScope::createProcessor() to validate the type of the processor
+        after constructing it.
+
+        * Modules/webaudio/AudioWorkletGlobalScope.cpp:
+        (WebCore::AudioWorkletGlobalScope::createProcessor):
+
 2021-05-07  Philippe Normand  <pnormand@igalia.com>
 
         [GStreamer][MediaStream] Emit black frames for disabled video tracks
diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
index ad563da53c04..2070fc7c1098 100644
--- a/Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioWorkletGlobalScope.cpp
@@ -150,10 +150,13 @@ RefPtr<AudioWorkletProcessor> AudioWorkletGlobalScope::createProcessor(const Str
     ASSERT(!!scope.exception() == !object);
     RETURN_IF_EXCEPTION(scope, nullptr);
 
-    auto& jsProcessor = *JSC::jsCast<JSAudioWorkletProcessor*>(object);
-    jsProcessor.wrapped().setProcessCallback(makeUnique<JSCallbackDataStrong>(&jsProcessor, globalObject));
+    auto* jsProcessor = JSC::jsDynamicCast<JSAudioWorkletProcessor*>(vm, object);
+    if (!jsProcessor)
+        return nullptr;
+
+    jsProcessor->wrapped().setProcessCallback(makeUnique<JSCallbackDataStrong>(jsProcessor, globalObject));
 
-    return &jsProcessor.wrapped();
+    return &jsProcessor->wrapped();
 }
 
 void AudioWorkletGlobalScope::prepareForDestruction()