Cherry-pick 272448.387@safari-7618-branch (303478e). https://bugs.web…

…kit.org/show_bug.cgi?id=268183 ASAN_ILL | WebCore::Document::removePlaybackTargetPickerClient. rdar://120661908 Reviewed by Chris Dumez. Unable to ref the page from removePlaybackTargetPickerClient as it may have started destruction. * LayoutTests/media/audio-remove-playback-crash-expected.txt: Added. * LayoutTests/media/audio-remove-playback-crash.html: Added. * Source/WebCore/dom/Document.cpp: (WebCore::Document::removePlaybackTargetPickerClient): Canonical link: https://commits.webkit.org/272448.387@safari-7618-branch Canonical link: https://commits.webkit.org/266719.407@webkitglib/2.42
WebKit · Mar 14, 2024 · b7cfc9a · b7cfc9a
1 parent ecd593f
commit b7cfc9a
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 4 deletions.
diff --git a/LayoutTests/media/audio-remove-playback-crash-expected.txt b/LayoutTests/media/audio-remove-playback-crash-expected.txt
@@ -0,0 +1 @@
+This test passes if no crash.
diff --git a/LayoutTests/media/audio-remove-playback-crash.html b/LayoutTests/media/audio-remove-playback-crash.html
@@ -0,0 +1,22 @@
+<p>This test passes if no crash.</p>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    function GetVariable(fuzzervars, var_type) { { return fuzzervars[var_type]; } { } }
+    function SetVariable(fuzzervars, var_name, var_type) { fuzzervars[var_type] = var_name; }
+    function jsfuzzer() {
+        var fuzzervars = {};
+        SetVariable(fuzzervars, document, 'Document');
+        try { /* */ var var00041 = htmlvar00009.import; } catch (e) { }
+        try { if (!var00041) { var00041 = GetVariable(fuzzervars, 'Document'); } { SetVariable(fuzzervars, 'GlobalEventHandlers'); } } catch (e) { }
+        try { /* */ var00054 = htmlvar00002.outerHTML; } catch (e) { }
+        try { /* */ var00066 = document.createElement("input"); } catch (e) { }
+        try { document.all[81 % document.all.length].appendChild(var00066); } catch (e) { }
+        try { var00066.selectionEnd = 20; } catch (e) { }
+        try { var00041.execCommand("insertHTML", false, var00054); } catch (e) { }
+    }
+</script>
+
+<body onload=jsfuzzer()>
+    <audio id="htmlvar00002" srclang="ja-Hira" />
+</body>
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
@@ -8151,10 +8151,9 @@ void Document::removePlaybackTargetPickerClient(MediaPlaybackTargetClient& clien
     m_idToClientMap.remove(clientId);
     m_clientToIDMap.remove(it);
 
-    Page* page = this->page();
-    if (!page)
-        return;
-    page->removePlaybackTargetPickerClient(clientId);
+    // Unable to ref the page as it may have started destruction.
+    if (WeakPtr page = this->page())
+        page->removePlaybackTargetPickerClient(clientId);
 }
 
 void Document::showPlaybackTargetPicker(MediaPlaybackTargetClient& client, bool isVideo, RouteSharingPolicy routeSharingPolicy, const String& routingContextUID)