159639 2016-07-11 12:36:54 -0700 Possible null dereference under SourceBuffer::sourceBufferPrivateDidReceiveSample() 2017-03-31 15:48:57 -0700 1 1 1 Unclassified WebKit Media WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 cdumez cdumez bfulgham commit-queue eric.carlson jer.noble webkit-bug-importer oldest_to_newest 1209749 0 cdumez 2016-07-11 12:36:54 -0700 Possible null dereference under SourceBuffer::sourceBufferPrivateDidReceiveSample(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000000) [ 0] 0x00007fffa678ee35 WebCore`WebCore::SourceBuffer::sourceBufferPrivateDidReceiveSample(WebCore::SourceBufferPrivate*, WTF::PassRefPtr<WebCore::MediaSample>) + 2085 at SourceBuffer.cpp:1464:21 1460 // spliced audio frame. 1461 // FIXME: Add support for sample splicing. 1462 1463 // If track buffer contains video coded frames: -> 1464 if (trackBuffer.description->isVideo()) { 1465 // 1.14.2.1 Let overlapped frame presentation timestamp equal the presentation timestamp 1466 // of overlapped frame. 1467 MediaTime overlappedFramePresentationTimestamp = overlappedFrame->presentationTime(); 1468 0x00007fffa678ee26: testq %rbx, %rbx 0x00007fffa678ee29: je 0xe39e2e ; <+2078> [inlined] WTF::RefPtr<WebCore::MediaDescription>::operator->() const at SourceBuffer.cpp:1464 0x00007fffa678ee2b: incl 0x8(%rbx) 0x00007fffa678ee2e: movq 0xb0(%r14), %rdi -> 0x00007fffa678ee35: movq (%rdi), %rax 0x00007fffa678ee38: callq *0x18(%rax) 0x00007fffa678ee3b: testb %al, %al 0x00007fffa678ee3d: je 0xe39ef9 ; <+2281> at SourceBuffer.cpp:1477 0x00007fffa678ee43: movq %r12, -0x300(%rbp) [ 1] 0x00007fffa6795c79 WebCore`WebCore::SourceBufferPrivateAVFObjC::processCodedFrame(int, opaqueCMSampleBuffer*, WTF::String const&) + 217 at SourceBufferPrivateAVFObjC.mm:699:9 695 696 if (m_client) { 697 RefPtr<MediaSample> mediaSample = MediaSampleAVFObjC::create(sampleBuffer, trackID); 698 LOG(MediaSourceSamples, "SourceBufferPrivateAVFObjC::processCodedFrame(%p) - sample(%s)", this, toString(*mediaSample).utf8().data()); -> 699 m_client->sourceBufferPrivateDidReceiveSample(this, WTFMove(mediaSample)); 700 } 701 702 return true; 703 } 1209750 1 283333 cdumez 2016-07-11 12:38:08 -0700 Created attachment 283333 Patch 1209751 2 webkit-bug-importer 2016-07-11 12:39:07 -0700 <rdar://problem/27282945> 1209861 3 cdumez 2016-07-11 16:24:24 -0700 Jer, it looks like you wrote this code, what do you think? 1209955 4 283333 ap 2016-07-11 23:33:12 -0700 Comment on attachment 283333 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283333&action=review > Source/WebCore/ChangeLog:8 > + Add a null check for trackBuffer.description before dereferencing as it seems Test? 1210119 5 cdumez 2016-07-12 11:52:27 -0700 (In reply to comment #4) > Comment on attachment 283333 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283333&action=review > > > Source/WebCore/ChangeLog:8 > > + Add a null check for trackBuffer.description before dereferencing as it seems > > Test? I'll talk to Jer as I have no idea how to exercise this code path. We have seen this crash in the wild but I have not been able to reproduce. 1221910 6 bfulgham 2016-08-22 11:19:29 -0700 (In reply to comment #5) > > Test? > > I'll talk to Jer as I have no idea how to exercise this code path. We have > seen this crash in the wild but I have not been able to reproduce. It's been a month -- any update? 1293338 7 283333 commit-queue 2017-03-31 15:48:54 -0700 Comment on attachment 283333 Patch Clearing flags on attachment: 283333 Committed r214693: <http://trac.webkit.org/changeset/214693> 1293339 8 commit-queue 2017-03-31 15:48:57 -0700 All reviewed patches have been landed. Closing bug. 283333 2016-07-11 12:38:08 -0700 2017-03-31 15:48:54 -0700 Patch bug-159639-20160711123727.patch text/plain 1870 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjAzMDY1CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggOWI1NzUyZTQ4NjZlYzc0 MjhkNDUyYTk0ZWI5NTUyMTQ4NzFmNjA2NS4uYzcyZjNiODg3NzRmNmQyYjEyOWE0YWQ3NjNhYjMy MTNlOTFmZGVhOCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDE2LTA3LTExICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgUG9zc2libGUgbnVsbCBkZXJl ZmVyZW5jZSB1bmRlciBTb3VyY2VCdWZmZXI6OnNvdXJjZUJ1ZmZlclByaXZhdGVEaWRSZWNlaXZl U2FtcGxlKCkKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTE1OTYzOQorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IEFkZCBhIG51bGwgY2hlY2sgZm9yIHRyYWNrQnVmZmVyLmRlc2NyaXB0aW9uIGJlZm9yZSBkZXJl ZmVyZW5jaW5nIGFzIGl0IHNlZW1zCisgICAgICAgIGl0IGNhbiBiZSBudWxsLgorCisgICAgICAg ICogTW9kdWxlcy9tZWRpYXNvdXJjZS9Tb3VyY2VCdWZmZXIuY3BwOgorICAgICAgICAoV2ViQ29y ZTo6U291cmNlQnVmZmVyOjpzb3VyY2VCdWZmZXJQcml2YXRlRGlkUmVjZWl2ZVNhbXBsZSk6CisK IDIwMTYtMDctMTEgIE5hZWwgT3VlZHJhb2dvICA8bmFlbC5vdWVkcmFvZ29AY3JmLmNhbm9uLmZy PgogCiAgICAgICAgIHRvTmF0aXZlIGZ1bmN0aW9ucyBpbiBKU0RPTUJpbmRpbmcuaCBzaG91bGQg dGFrZSBhbiBFeGVjU3RhdGUgcmVmZXJlbmNlIGluc3RlYWQgb2YgcG9pbnRlcgpkaWZmIC0tZ2l0 IGEvU291cmNlL1dlYkNvcmUvTW9kdWxlcy9tZWRpYXNvdXJjZS9Tb3VyY2VCdWZmZXIuY3BwIGIv U291cmNlL1dlYkNvcmUvTW9kdWxlcy9tZWRpYXNvdXJjZS9Tb3VyY2VCdWZmZXIuY3BwCmluZGV4 IGJkMWExMTBhZTY2MmI4Mjc4YThlNjlmN2IwMzY1ZDI0ZGRiNWNlYzUuLjIyZmIwODkxNjkwMGE2 ZDZhOWE2NmIwNjUxMWE0NjgyMTAxODM1MWIgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL01v ZHVsZXMvbWVkaWFzb3VyY2UvU291cmNlQnVmZmVyLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9N b2R1bGVzL21lZGlhc291cmNlL1NvdXJjZUJ1ZmZlci5jcHAKQEAgLTE0ODgsNyArMTQ4OCw3IEBA IHZvaWQgU291cmNlQnVmZmVyOjpzb3VyY2VCdWZmZXJQcml2YXRlRGlkUmVjZWl2ZVNhbXBsZShT b3VyY2VCdWZmZXJQcml2YXRlKiwgUGFzCiAgICAgICAgICAgICAgICAgLy8gRklYTUU6IEFkZCBz dXBwb3J0IGZvciBzYW1wbGUgc3BsaWNpbmcuCiAKICAgICAgICAgICAgICAgICAvLyBJZiB0cmFj ayBidWZmZXIgY29udGFpbnMgdmlkZW8gY29kZWQgZnJhbWVzOgotICAgICAgICAgICAgICAgIGlm ICh0cmFja0J1ZmZlci5kZXNjcmlwdGlvbi0+aXNWaWRlbygpKSB7CisgICAgICAgICAgICAgICAg aWYgKHRyYWNrQnVmZmVyLmRlc2NyaXB0aW9uICYmIHRyYWNrQnVmZmVyLmRlc2NyaXB0aW9uLT5p c1ZpZGVvKCkpIHsKICAgICAgICAgICAgICAgICAgICAgLy8gMS4xNC4yLjEgTGV0IG92ZXJsYXBw ZWQgZnJhbWUgcHJlc2VudGF0aW9uIHRpbWVzdGFtcCBlcXVhbCB0aGUgcHJlc2VudGF0aW9uIHRp bWVzdGFtcAogICAgICAgICAgICAgICAgICAgICAvLyBvZiBvdmVybGFwcGVkIGZyYW1lLgogICAg ICAgICAgICAgICAgICAgICBNZWRpYVRpbWUgb3ZlcmxhcHBlZEZyYW1lUHJlc2VudGF0aW9uVGlt ZXN0YW1wID0gb3ZlcmxhcHBlZEZyYW1lLT5wcmVzZW50YXRpb25UaW1lKCk7Cg==