ASAN_ILL | WebCore::Document::removePlaybackTargetPickerClient.

rdar://120661908 Reviewed by Chris Dumez. Unable to ref the page from removePlaybackTargetPickerClient as it may have started destruction. * LayoutTests/media/audio-remove-playback-crash-expected.txt: Added. * LayoutTests/media/audio-remove-playback-crash.html: Added. * Source/WebCore/dom/Document.cpp: (WebCore::Document::removePlaybackTargetPickerClient): Originally-landed-as: 272448.387@safari-7618-branch (303478e). rdar://124554687 Canonical link: https://commits.webkit.org/276164@main
WebKit · Mar 15, 2024 · 5f24a7c · 5f24a7c
1 parent 4ad05d7
commit 5f24a7c
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/LayoutTests/media/audio-remove-playback-crash-expected.txt b/LayoutTests/media/audio-remove-playback-crash-expected.txt
@@ -0,0 +1 @@
+This test passes if no crash.
diff --git a/LayoutTests/media/audio-remove-playback-crash.html b/LayoutTests/media/audio-remove-playback-crash.html
@@ -0,0 +1,22 @@
+<p>This test passes if no crash.</p>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    function GetVariable(fuzzervars, var_type) { { return fuzzervars[var_type]; } { } }
+    function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }
+    function jsfuzzer() {
+        var fuzzervars = {};
+        SetVariable(fuzzervars, document, 'Document');
+        try { /* */ var var00041 = htmlvar00009.import; } catch (e) { }
+        try { if (!var00041) { var00041 = GetVariable(fuzzervars, 'Document'); } { SetVariable(fuzzervars, 'GlobalEventHandlers'); } } catch (e) { }
+        try { /* */ var00054 = htmlvar00002.outerHTML; } catch (e) { }
+        try { /* */ var00066 = document.createElement("input"); } catch (e) { }
+        try { document.all[81 % document.all.length].appendChild(var00066); } catch (e) { }
+        try { var00066.selectionEnd = 20; } catch (e) { }
+        try { var00041.execCommand("insertHTML", false, var00054); } catch (e) { }
+    }
+</script>
+
+<body onload=jsfuzzer()>
+    <audio id="htmlvar00002" srclang="ja-Hira" />
+</body>
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
@@ -8909,7 +8909,8 @@ void Document::removePlaybackTargetPickerClient(MediaPlaybackTargetClient& clien
     m_idToClientMap.remove(clientId);
     m_clientToIDMap.remove(it);
 
-    if (RefPtr page = this->page())
+    // Unable to ref the page as it may have started destruction.
+    if (WeakPtr page = this->page())
         page->removePlaybackTargetPickerClient(clientId);
 }