Bug 306794

Summary:	Crash in WebCore::RemoteCommandListener::supportsSeeking()
Product:	WebKit	Reporter:	David Kilzer (:ddkilzer) <ddkilzer>
Component:	Media	Assignee:	David Kilzer (:ddkilzer) <ddkilzer>
Status:	NEW
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

David Kilzer (:ddkilzer)

Reported 2026-02-02 12:18:56 PST

WebCore crashes when MediaRemote framework calls through a stale pointer to `RemoteCommandListener::supportsSeeking()`. The crash occurs when: 1. A `RemoteCommandListenerCocoa` object registers a block with MediaRemote framework 2. The object is destroyed but MediaRemote retains the block 3. MediaRemote later executes the block, which accesses freed memory **Stack trace:** ``` 0 WebCore: WebCore::RemoteCommandListener::supportsSeeking() const 1 WebCore: invocation function for block in WebCore::RemoteCommandListenerCocoa::RemoteCommandListenerCocoa 2 WebCore: WebCore::RemoteCommandListenerCocoa::RemoteCommandListenerCocoa 3 MediaRemote: __MRMediaRemoteAddAsyncCommandHandlerBlockForPlayer_block_invoke 4 MediaRemote: MRMediaRemoteAddAsyncCommandHandlerBlock ``` <rdar://162768654>

Attachments
Add attachment proposed patch, testcase, etc.

David Kilzer (:ddkilzer)

Comment 1 2026-02-02 12:37:15 PST

Pull request: https://github.com/apple/WebKit/pull/4415

Note You need to log in before you can comment on or make changes to this bug.