CRASH in SourceBuffer::removeCodedFrames()
rdar://problem/57168384
Created attachment 383651 [details] Patch
Comment on attachment 383651 [details] Patch Clearing flags on attachment: 383651 Committed r252511: <https://trac.webkit.org/changeset/252511>
All reviewed patches have been landed. Closing bug.
Comment on attachment 383651 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383651&action=review r=me > Source/WebCore/Modules/mediasource/SourceBuffer.cpp:805 > + if (start >= end) Wasn’t there a second place where this check could be added that was missing it?
(In reply to David Kilzer (:ddkilzer) from comment #5) > Comment on attachment 383651 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=383651&action=review > > r=me Oops, didn’t see this landed already.
(In reply to David Kilzer (:ddkilzer) from comment #5) > Comment on attachment 383651 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=383651&action=review > > r=me > > > Source/WebCore/Modules/mediasource/SourceBuffer.cpp:805 > > + if (start >= end) > > Wasn’t there a second place where this check could be added that was missing > it? All those places are upstream of here. IOW, a check here checks every call site.
Comment on attachment 383651 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383651&action=review > Source/WebCore/ChangeLog:10 > + Speculative fix for rare crash. It's possible that the startTime and endTime inputs to > + removeCodedFrames() are out-of-order, which could lead to iterating off the end of the > + SampleMap. Verify that startTime < endTime and bail out early if not true. If it’s possible, then why are we asserting it’s not true?