WebKit Bugzilla
Attachment 340630 Details for
Bug 185734
: CRASH in ImageDecoderAVFObjC::sampleAtIndex()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for landing
bug-185734-20180517132302.patch (text/plain), 7.56 KB, created by
Jer Noble
on 2018-05-17 13:23:03 PDT
(
hide
)
Description:
Patch for landing
Filename:
MIME Type:
Creator:
Jer Noble
Created:
2018-05-17 13:23:03 PDT
Size:
7.56 KB
patch
obsolete
>Subversion Revision: 231813 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index a8a3f169dc232baef8362496f5536b2518762b6a..1ab0b2db5baf62b1d2210c9bb2e510d639703491 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,20 @@ >+2018-05-17 Jer Noble <jer.noble@apple.com> >+ >+ CRASH in ImageDecoderAVFObjC::sampleAtIndex() >+ https://bugs.webkit.org/show_bug.cgi?id=185734 >+ <rdar://problem/40295094> >+ >+ Reviewed by Eric Carlson. >+ >+ Test: fast/images/animated-image-mp4-crash.html >+ >+ Test the correct size value before iterating over the SampleMap in presentationOrder() >+ >+ * Modules/mediasource/SampleMap.h: >+ (WebCore::PresentationOrderSampleMap::size const): >+ * platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm: >+ (WebCore::ImageDecoderAVFObjC::sampleAtIndex const): >+ > 2018-05-16 Jer Noble <jer.noble@apple.com> > > CRASH: Exception thrown from -[AVContentKeySession processContentKeyRequestWithIdentifier:initializationData:options:] after -expire called >diff --git a/Source/WebCore/Modules/mediasource/SampleMap.h b/Source/WebCore/Modules/mediasource/SampleMap.h >index 14e872a8f2a4b1eab336d9f1236e3e80d1a1e61b..f27faad57bb23759284fdaab95dd1531456853e8 100644 >--- a/Source/WebCore/Modules/mediasource/SampleMap.h >+++ b/Source/WebCore/Modules/mediasource/SampleMap.h >@@ -54,6 +54,8 @@ public: > reverse_iterator rend() { return m_samples.rend(); } > const_reverse_iterator rend() const { return m_samples.rend(); } > >+ size_t size() const { return m_samples.size(); } >+ > WEBCORE_EXPORT iterator findSampleWithPresentationTime(const MediaTime&); > WEBCORE_EXPORT iterator findSampleContainingPresentationTime(const MediaTime&); > WEBCORE_EXPORT iterator findSampleContainingOrAfterPresentationTime(const MediaTime&); >diff --git a/Source/WebCore/platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm b/Source/WebCore/platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm >index 6e53a1960393866827adaeb41ed482aaa85abcca..6368cb46b2fa6bd8144821a60573f63c94ce0e3c 100644 >--- a/Source/WebCore/platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm >+++ b/Source/WebCore/platform/graphics/avfoundation/objc/ImageDecoderAVFObjC.mm >@@ -670,7 +670,7 @@ void ImageDecoderAVFObjC::clearFrameBufferCache(size_t index) > > const ImageDecoderAVFObjCSample* ImageDecoderAVFObjC::sampleAtIndex(size_t index) const > { >- if (index >= m_sampleData.size()) >+ if (index >= m_sampleData.presentationOrder().size()) > return nullptr; > > // FIXME: std::map is not random-accessible; this can get expensive if callers repeatedly call >@@ -679,7 +679,7 @@ const ImageDecoderAVFObjCSample* ImageDecoderAVFObjC::sampleAtIndex(size_t index > auto iter = m_sampleData.presentationOrder().begin(); > for (size_t i = 0; i != index; ++i) > ++iter; >- >+ > return toSample(iter); > } > >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index fcdf7f84155f5165261a4ad94d7f11d62d836d26..80024f9144a93e09b1121c248d60296e4b3559b7 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,15 @@ >+2018-05-17 Jer Noble <jer.noble@apple.com> >+ >+ CRASH in ImageDecoderAVFObjC::sampleAtIndex() >+ https://bugs.webkit.org/show_bug.cgi?id=185734 >+ <rdar://problem/40295094> >+ >+ Reviewed by Eric Carlson. >+ >+ * fast/images/animated-image-mp4-crash-expected.txt: Added. >+ * fast/images/animated-image-mp4-crash.html: Added. >+ * fast/images/resources/two-samples-with-same-pts.mp4: Added. >+ > 2018-05-09 Jer Noble <jer.noble@apple.com> > > Media continues loading after rendered invisible (removed from DOM; scrolled off screen) >diff --git a/LayoutTests/fast/images/animated-image-mp4-crash-expected.txt b/LayoutTests/fast/images/animated-image-mp4-crash-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..fada9c56613a164d83778f4fc36be69587c007c0 >--- /dev/null >+++ b/LayoutTests/fast/images/animated-image-mp4-crash-expected.txt >@@ -0,0 +1,9 @@ >+Test that a malformed mp4 media file loaded as an image should not crash. >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/fast/images/animated-image-mp4-crash.html b/LayoutTests/fast/images/animated-image-mp4-crash.html >new file mode 100644 >index 0000000000000000000000000000000000000000..cb699db5e679fdf379f20a4c94091afc438c2c05 >--- /dev/null >+++ b/LayoutTests/fast/images/animated-image-mp4-crash.html >@@ -0,0 +1,31 @@ >+<!DOCTYPE html> >+<html> >+<body> >+ <img> >+ <script src="../../resources/js-test-pre.js"></script> >+ <script> >+ window.jsTestIsAsync = true; >+ >+ function loadImage(src) { >+ return new Promise(resolve => { >+ const image = document.querySelector('img'); >+ image.src = src; >+ return image.decode().then(() => { resolve(image); }); >+ }); >+ } >+ >+ function endTest() { >+ finishJSTest(); >+ if (window.testRunner) >+ testRunner.notifyDone(); >+ } >+ >+ description('Test that a malformed mp4 media file loaded as an image should not crash.') >+ >+ loadImage("resources/two-samples-with-same-pts.mp4").then(image => { >+ setTimeout(endTest, 100); >+ }); >+ </script> >+ <script src="../../resources/js-test-post.js"></script> >+</body> >+</html> >diff --git a/LayoutTests/fast/images/resources/two-samples-with-same-pts.mp4 b/LayoutTests/fast/images/resources/two-samples-with-same-pts.mp4 >new file mode 100644 >index 0000000000000000000000000000000000000000..17158753612123931883e2f4bb8be19abbee22c7 >GIT binary patch >literal 2814 >zcmc&#dr(wW82|3wHz3}X4Vhf@A`d}PgK?68hDAl2Ns3GvbTHYMLF}^Y?uua6ULNX- >zj+SMj<cMSCIMWynqcM#S5GGAfsc{BJOcp4#X&PZj!P?>Won7{UQvGA~?LFsvp6}lC >zo!|Ku0F)bT<z}OKQ8EBf$dia%WHlK91QAA)sTA!7V`-rdIdsi7Q)Hkx6Ndm$B8rbD >zC}@35SNQ@b6=(qZ6Pra{jNW`(vHP9w_l>{Pn@#Y<YOlxZcuZHJol5i!6l3%{n-#fI >zZ?M{s6Cx`-dEIMirBPR;MjLC?O}_UvZDbiF73vHYw}ew^kxuWG314cm=-F&NW@2;E >zWkM6xYAh<*h=QWj=-D6%9H$ta$EVa;^dyE5`J9l=76a>%sVb{YV?g<`)n;`cipLI3 >z>QZeI%7olo@Q9w7O2qBIgfba~o`~?61Lg>xM{OQvT}mx+D)?Sd%t3xKA}(yCEI5Z@ >z!h*Wa4Kfr6<L}5E7#gNE87w7QLm4I~Kct|IMS6or(iU0}Qb>$hZ8ak&W-=nIHuqtm >z=+?<05W52RM-GXQH+HI3XCrHYWf+{57@{RAk~hS=oJHSOkIOxyot}%M9miF)V0tY% >z4??(Bkd8cFi=RRgA$ju<nc|TMCklY%iczN~xCs%1q+-K+Bv{3v{)|{87wr7)m8(H7 >z-#+$XYU_=<>9c@1I%AvIIXo}Sp{iD|QbDu&5(tu-Av3L&9~@ls$NlrZhaa`K6y$(@ >zM0ps~QVZLrIY7*fR%qC~s!E|IR4U(N=XX|q(Y1cF|4}@6RC{Q<Uq|1of&TTj2T#}e >z2G$}WmU_#{Rczp0@+_c)b|nZyv>epLj`X}U(qngJI2#opls9p(a*+y{6riZvO3sjZ >zS=^?CDI9Re88bW&G>sc_*2IG}dejN57Sp`8&|QyTPJK<D6CUQBw~m{iveVA*YbnIK >zm+UQ?3Lw)YNFgh4?MExyo0TCaWDCBd6uUH?xvPKbJpJ&@M7q%W%@38%dLjLD<inm} >z_PJ;C6WfzZ3d}Xj8m8RqJaC}2{%?>$&5Y_5iR<{WAg5|HddS*g1|}L2!)lUxpeiA% >zLERtq{)(IX<bCNY978js+sgc6`GuXXa53!eaIN6RScqN*w7Q{e22(c0A-k?hOI-^$ >zckjrW_2%#+*O)!y==HlkVd%a*H*u5poZsSe4L|Cc5IXL-_CyZi*b<P_pW*z(mw6mV >z{QiJc_XEGm7qQL%xrnnpQB-lYLO8(lmGSk!zSz&f4lI*g(x&;?SCfIUS%Yh9fEKtA >zYLR$Rr5v!UfTn6wfC2hT3E+QAF6)FG5Yl;79ED*rjfo$fO%~lr0jc2<P|UXF2>})M >z?e1Fdr^(x1pX6Krud?_noHoGs53Y-#vm1xXohe+5%1l)jgr3d3R9KyLkc(XTW5wxQ >zc1e0urdYF%Io$eHVw&amZb$x-zUfTU_O=C4n}R1Ob-n#1E#`uj5_Ufmo);<CSGOMy >zZAhsuFJRM$lQT%u`>Q5LMMw3?L<nVRy+AZK-T^{SpButHSGO3ugs|((1pNA-Y--DJ >zHpD>kt$s%*K=8Zld<GZ80yca$r3s}4NfL^xC5bDGyC(tXK67MtT&yeGQ5O~fEgy#d >z5n}<x{MRo8;&~V1*%2f1;`#WNy+BJgHA7Zoz$ITi$X9mc0F!e=1#@Ls4*a`Q9h9)x >zJGmLyH&YR{9huE=52RC*NO7?Ri)Ng~?vaM+=GO*v3IFAP`}?uelYsd8-GB@CUlzlE >zmPdx|7bAq>)tq=uYRb3RfP+Z`7Sf+5w$HN+O5jSu{$ClPHTI%3PH^(1uD$$&L$?Y) >xJ0?2SZJ!jzi0OgRvhIfbX~3<Q_Za!)px~q8+l_Gp68eSx&5MuqB}A6i{|Uc-sM-Jk > >literal 0 >HcmV?d00001 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=340630">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185734
:
340603
|
340620
| 340630