Skip to content
Permalink
Browse files
[Cocoa] Null-pointer deref in MediaKeySystemAccess::createMediaKeys()
https://bugs.webkit.org/show_bug.cgi?id=227911
<rdar://80325855>

Reviewed by Chris Dumez.

In r278481, we moved from a (timer-based) GenericTaskQueue to the document's event loop, but in so
doing, allowed the passed-in lambda to be called after the underlying object had been destroyed.
Make MediaKeySystemAccess a CanMakeWeakPtr and pass in a WeakPtr to the lambda. To ensure that the
lambda itself keeps MediaKeySystemAccess during the execution of the lambda, also add a Ref to
the object after null-checking weakThis.

* Modules/encryptedmedia/MediaKeySystemAccess.cpp:
(WebCore::MediaKeySystemAccess::createMediaKeys):
* Modules/encryptedmedia/MediaKeySystemAccess.h:


Canonical link: https://commits.webkit.org/239668@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279919 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
jernoble committed Jul 14, 2021
1 parent 10c7d69 commit a4b29b9a7cb9fe9796b8ebfacaf81cbbc268f1e0
Showing 3 changed files with 25 additions and 2 deletions.
@@ -1,3 +1,21 @@
2021-07-14 Jer Noble <jer.noble@apple.com>

[Cocoa] Null-pointer deref in MediaKeySystemAccess::createMediaKeys()
https://bugs.webkit.org/show_bug.cgi?id=227911
<rdar://80325855>

Reviewed by Chris Dumez.

In r278481, we moved from a (timer-based) GenericTaskQueue to the document's event loop, but in so
doing, allowed the passed-in lambda to be called after the underlying object had been destroyed.
Make MediaKeySystemAccess a CanMakeWeakPtr and pass in a WeakPtr to the lambda. To ensure that the
lambda itself keeps MediaKeySystemAccess during the execution of the lambda, also add a Ref to
the object after null-checking weakThis.

* Modules/encryptedmedia/MediaKeySystemAccess.cpp:
(WebCore::MediaKeySystemAccess::createMediaKeys):
* Modules/encryptedmedia/MediaKeySystemAccess.h:

2021-07-14 Rob Buis <rbuis@igalia.com>

Rename hasOverflowClip() to prepare for the real overflow:clip
@@ -64,7 +64,11 @@ void MediaKeySystemAccess::createMediaKeys(Document& document, Ref<DeferredPromi
// When this method is invoked, the user agent must run the following steps:
// 1. Let promise be a new promise.
// 2. Run the following steps in parallel:
document.eventLoop().queueTask(TaskSource::MediaElement, [this, weakDocument = makeWeakPtr(document), promise = WTFMove(promise)] () mutable {
document.eventLoop().queueTask(TaskSource::MediaElement, [this, weakThis = makeWeakPtr(*this), weakDocument = makeWeakPtr(document), promise = WTFMove(promise)] () mutable {
RefPtr protectedThis = weakThis.get();
if (!protectedThis)
return;

// 2.1. Let configuration be the value of this object's configuration value.
// 2.2. Let use distinctive identifier be true if the value of configuration's distinctiveIdentifier member is "required" and false otherwise.
bool useDistinctiveIdentifier = m_configuration->distinctiveIdentifier == MediaKeysRequirement::Required;
@@ -32,6 +32,7 @@

#include "MediaKeySystemConfiguration.h"
#include <wtf/RefCounted.h>
#include <wtf/WeakPtr.h>
#include <wtf/text/WTFString.h>

namespace WebCore {
@@ -41,7 +42,7 @@ class DeferredPromise;
class Document;
class MediaKeys;

class MediaKeySystemAccess : public RefCounted<MediaKeySystemAccess> {
class MediaKeySystemAccess : public RefCounted<MediaKeySystemAccess>, public CanMakeWeakPtr<MediaKeySystemAccess> {
public:
static Ref<MediaKeySystemAccess> create(const String& keySystem, MediaKeySystemConfiguration&&, Ref<CDM>&&);
~MediaKeySystemAccess();

0 comments on commit a4b29b9

Please sign in to comment.