Bug 315339

Summary:	Fix heap-use-after-free in AudioVideoRendererAVFObjC::setTimeObserver when callback re-entrantly reinstalls the time observer
Product:	WebKit	Reporter:	Kristian Monsen <k_monsen>
Component:	Media	Assignee:	Jean-Yves Avenard [:jya] <jean-yves.avenard>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Kristian Monsen

Reported 2026-05-21 20:31:23 PDT

Guard m_currentTimeDidChangeCallback against re-entrant replacement during its own invocation by moving it to a stack local via std::exchange, restoring it only if no new callback was installed.

Attachments
Add attachment proposed patch, testcase, etc.

Kristian Monsen

Comment 1 2026-05-21 20:31:25 PDT

<rdar://problem/177666693>

Kristian Monsen

Comment 2 2026-05-21 20:32:45 PDT

Pull request: https://github.com/WebKit/WebKit/pull/65456

Jean-Yves Avenard [:jya]

Comment 3 2026-05-21 22:59:31 PDT

Pull request: https://github.com/WebKit/WebKit/pull/65463

EWS

Comment 4 2026-05-22 00:19:50 PDT

Committed 313715@main (8c860928afff): <https://commits.webkit.org/313715@main> Reviewed commits have been landed. Closing PR #65463 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.