Use-after-free in WebCore::WaveShaperDSPKernel::processCurve()

https://bugs.webkit.org/show_bug.cgi?id=271654
rdar://123631199

Reviewed by Jer Noble.

Make sure WaveShaperNode::curveForBindings() clones our internal array
before returning it to JS. This is important so that the JS cannot
modify our internal array on the main thread while the audio thread is
using it for rendering.

* Source/WebCore/Modules/webaudio/WaveShaperNode.cpp:
(WebCore::WaveShaperNode::curveForBindings):
* Source/WebCore/Modules/webaudio/WaveShaperNode.h:

Originally-landed-as: 272448.781@safari-7618-branch (bc10314). rdar://128088238
Canonical link: https://commits.webkit.org/278813@main

Source/WebCore/Modules/webaudio/WaveShaperNode.cpp

@@ -90,10 +90,16 @@ ExceptionOr<void> WaveShaperNode::setCurveForBindings(RefPtr<Float32Array>&& cur
     return { };
 }
 
-Float32Array* WaveShaperNode::curveForBindings()
+RefPtr<Float32Array> WaveShaperNode::curveForBindings()
 {
     ASSERT(isMainThread());
-    return waveShaperProcessor()->curveForBindings();
+    RefPtr curve = waveShaperProcessor()->curveForBindings();
+    if (!curve)
+        return nullptr;
+
+    // Make a clone of our internal array so that JS cannot modify our internal array
+    // on the main thread while the audio thread is using it for rendering.
+    return Float32Array::create(curve->data(), curve->length());
 }
 
 static inline WaveShaperProcessor::OverSampleType processorType(OverSampleType type)

Source/WebCore/Modules/webaudio/WaveShaperNode.h

@@ -41,7 +41,7 @@ class WaveShaperNode final : public AudioBasicProcessorNode {
 
     // setCurve() is called on the main thread.
     ExceptionOr<void> setCurveForBindings(RefPtr<Float32Array>&&);
-    Float32Array* curveForBindings();
+    RefPtr<Float32Array> curveForBindings();
 
     void setOversampleForBindings(OverSampleType);
     OverSampleType oversampleForBindings() const;