Cherry-pick 56b164c. rdar://122444388

REGRESSION(272969@main): Null-deref crash in SourceBufferPrivateAVFObjC::trackDidChangeEnabled https://bugs.webkit.org/show_bug.cgi?id=268921 rdar://122444388 Reviewed by Eric Carlson. The WebAVSampleBufferListener m_listener is invalidated and destroyed in SourceBufferPrivateAVFObjC::destroyRenderers(), and is never recreated. It is subsequently used without nil-checking the next time a renderer is recreated. Rather than destroying and re-creating whenever renderers are destroyed and created, make it a Ref<> object whose lifetime is the same (or longer) as the object which owns it. * Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.h: * Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm: (WebCore::SourceBufferPrivateAVFObjC::~SourceBufferPrivateAVFObjC): (WebCore::SourceBufferPrivateAVFObjC::destroyRenderers): Canonical link: https://commits.webkit.org/274323@main Identifier: 272448.540@safari-7618.1.15.10-branch
WebKit · Feb 9, 2024 · 0c6c107 · 0c6c107
1 parent d4a8b8c
commit 0c6c107
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 7 deletions.
diff --git a/Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.h b/Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.h
@@ -215,7 +215,7 @@ ALLOW_NEW_API_WITHOUT_GUARDS_END
 ALLOW_NEW_API_WITHOUT_GUARDS_BEGIN
     StdUnorderedMap<TrackID, RetainPtr<AVSampleBufferAudioRenderer>> m_audioRenderers;
 ALLOW_NEW_API_WITHOUT_GUARDS_END
-    RefPtr<WebAVSampleBufferListener> m_listener;
+    Ref<WebAVSampleBufferListener> m_listener;
 #if PLATFORM(IOS_FAMILY)
     bool m_displayLayerWasInterrupted { false };
 #endif

diff --git a/Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm b/Source/WebCore/platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm
@@ -143,6 +143,7 @@ static inline bool shouldAddContentKeyRecipients()
     destroyStreamDataParser();
     destroyRenderers();
     clearTracks();
+    m_listener->invalidate();
 
     abort();
 }
@@ -504,11 +505,6 @@ static inline bool shouldAddContentKeyRecipients()
 #endif
     }
 
-    if (m_listener) {
-        m_listener->invalidate();
-        m_listener = nullptr;
-    }
-
     m_audioRenderers.clear();
 }
 
@@ -1249,7 +1245,6 @@ static inline bool shouldAddContentKeyRecipients()
     ASSERT(!layer || !m_decompressionSession || hasSelectedVideo());
 
     if (m_videoLayer) {
-        ASSERT(m_listener);
         m_videoLayer->flush();
         m_videoLayer->stopRequestingMediaData();
         m_listener->stopObservingLayer(m_videoLayer->displayLayer());