Bug 264119

Summary:	[GStreamer] MediaPlayerPrivateGStreamer stores refcounted AudioSourceProviderGStreamer in a std::unique_ptr
Product:	WebKit	Reporter:	Michael Catanzaro <mcatanzaro>
Component:	Media	Assignee:	Michael Catanzaro <mcatanzaro>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, bugs-noreply, mcatanzaro, philn, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	PC
OS:	Linux
See Also:	https://bugs.webkit.org/show_bug.cgi?id=261280 https://bugs.webkit.org/show_bug.cgi?id=261224

Michael Catanzaro

Reported 2023-11-02 17:00:34 PDT

The static assertion added in bug #261280 reveals that MediaPlayerPrivateGStreamer stores AudioSourceProviderGStreamer in a std::unique_ptr. This is unsafe because AudioSourceProviderGStreamer is refcounted and should not be deleted while a ref is outstanding.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-11-02 17:00:46 PDT

<rdar://problem/117881093>

Michael Catanzaro

Comment 2 2023-11-02 17:29:24 PDT

This is a security bug, but the flaw is public on the 2.42 branch already since I needed to fix this for the 2.42.2 release, so no point in using the security fork for a pull request. Our scripts don't allow creating public pull requests against security bugs anymore, so changing product/component accordingly.

Michael Catanzaro

Comment 3 2023-11-02 17:29:58 PDT

Pull request: https://github.com/WebKit/WebKit/pull/19920

EWS

Comment 4 2023-11-06 07:31:00 PST

Committed 270266@main (0f803ec2d5e6): <https://commits.webkit.org/270266@main> Reviewed commits have been landed. Closing PR #19920 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.