Bug 159639 - Possible null dereference under SourceBuffer::sourceBufferPrivateDidReceiveSample()
Summary: Possible null dereference under SourceBuffer::sourceBufferPrivateDidReceiveSa...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Media (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-07-11 12:36 PDT by Chris Dumez
Modified: 2017-03-31 15:48 PDT (History)
5 users (show)

See Also:

Attachments
Patch (1.83 KB, patch)
2016-07-11 12:38 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2016-07-11 12:36:54 PDT 
Possible null dereference under SourceBuffer::sourceBufferPrivateDidReceiveSample():
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000000)
[  0] 0x00007fffa678ee35 WebCore`WebCore::SourceBuffer::sourceBufferPrivateDidReceiveSample(WebCore::SourceBufferPrivate*, WTF::PassRefPtr<WebCore::MediaSample>) + 2085 at SourceBuffer.cpp:1464:21
       1460	                // spliced audio frame.
       1461	                // FIXME: Add support for sample splicing.
       1462	
       1463	                // If track buffer contains video coded frames:
    -> 1464	                if (trackBuffer.description->isVideo()) {
       1465	                    // 1.14.2.1 Let overlapped frame presentation timestamp equal the presentation timestamp
       1466	                    // of overlapped frame.
       1467	                    MediaTime overlappedFramePresentationTimestamp = overlappedFrame->presentationTime();
       1468	
    

     0x00007fffa678ee26:    testq %rbx, %rbx
     0x00007fffa678ee29:       je 0xe39e2e             ; <+2078> [inlined] WTF::RefPtr<WebCore::MediaDescription>::operator->() const at SourceBuffer.cpp:1464
     0x00007fffa678ee2b:     incl 0x8(%rbx)
     0x00007fffa678ee2e:     movq 0xb0(%r14), %rdi
 ->  0x00007fffa678ee35:     movq (%rdi), %rax
     0x00007fffa678ee38:    callq *0x18(%rax)
     0x00007fffa678ee3b:    testb %al, %al
     0x00007fffa678ee3d:       je 0xe39ef9             ; <+2281> at SourceBuffer.cpp:1477
     0x00007fffa678ee43:     movq %r12, -0x300(%rbp)

[  1] 0x00007fffa6795c79 WebCore`WebCore::SourceBufferPrivateAVFObjC::processCodedFrame(int, opaqueCMSampleBuffer*, WTF::String const&) + 217 at SourceBufferPrivateAVFObjC.mm:699:9
       695 	
       696 	    if (m_client) {
       697 	        RefPtr<MediaSample> mediaSample = MediaSampleAVFObjC::create(sampleBuffer, trackID);
       698 	        LOG(MediaSourceSamples, "SourceBufferPrivateAVFObjC::processCodedFrame(%p) - sample(%s)", this, toString(*mediaSample).utf8().data());
    -> 699 	        m_client->sourceBufferPrivateDidReceiveSample(this, WTFMove(mediaSample));
       700 	    }
       701 	
       702 	    return true;
       703 	}
Comment 1 Chris Dumez 2016-07-11 12:38:08 PDT 
Created attachment 283333 [details]
Patch
Comment 2 Radar WebKit Bug Importer 2016-07-11 12:39:07 PDT 
<rdar://problem/27282945>
Comment 3 Chris Dumez 2016-07-11 16:24:24 PDT 
Jer, it looks like you wrote this code, what do you think?
Comment 4 Alexey Proskuryakov 2016-07-11 23:33:12 PDT 
Comment on attachment 283333 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=283333&action=review

> Source/WebCore/ChangeLog:8
> +        Add a null check for trackBuffer.description before dereferencing as it seems

Test?
Comment 5 Chris Dumez 2016-07-12 11:52:27 PDT 
(In reply to comment #4)
> Comment on attachment 283333 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=283333&action=review
> 
> > Source/WebCore/ChangeLog:8
> > +        Add a null check for trackBuffer.description before dereferencing as it seems
> 
> Test?

I'll talk to Jer as I have no idea how to exercise this code path. We have seen this crash in the wild but I have not been able to reproduce.
Comment 6 Brent Fulgham 2016-08-22 11:19:29 PDT 
(In reply to comment #5)
> > Test?
> 
> I'll talk to Jer as I have no idea how to exercise this code path. We have
> seen this crash in the wild but I have not been able to reproduce.

It's been a month -- any update?
Comment 7 WebKit Commit Bot 2017-03-31 15:48:54 PDT 
Comment on attachment 283333 [details]
Patch

Clearing flags on attachment: 283333

Committed r214693: <http://trac.webkit.org/changeset/214693>
Comment 8 WebKit Commit Bot 2017-03-31 15:48:57 PDT 
All reviewed patches have been landed.  Closing bug.