RESOLVED FIXED204248
CRASH in SourceBuffer::removeCodedFrames() 
https://bugs.webkit.org/show_bug.cgi?id=204248
Summary CRASH in SourceBuffer::removeCodedFrames()
Jer Noble
Reported 2019-11-15 14:11:59 PST
CRASH in SourceBuffer::removeCodedFrames()
Attachments
Patch (1.69 KB, patch)
2019-11-15 14:28 PST, Jer Noble 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jer Noble
Comment 1 2019-11-15 14:12:35 PST
rdar://problem/57168384
Jer Noble
Comment 2 2019-11-15 14:28:14 PST
Created attachment 383651 [details] Patch
WebKit Commit Bot
Comment 3 2019-11-15 16:05:08 PST
Comment on attachment 383651 [details] Patch Clearing flags on attachment: 383651 Committed r252511: <https://trac.webkit.org/changeset/252511>
WebKit Commit Bot
Comment 4 2019-11-15 16:05:10 PST
All reviewed patches have been landed. Closing bug.
David Kilzer (:ddkilzer)
Comment 5 2019-11-15 16:28:06 PST
Comment on attachment 383651 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383651&action=review r=me > Source/WebCore/Modules/mediasource/SourceBuffer.cpp:805 > + if (start >= end) Wasn’t there a second place where this check could be added that was missing it?
David Kilzer (:ddkilzer)
Comment 6 2019-11-15 16:30:43 PST
(In reply to David Kilzer (:ddkilzer) from comment #5) > Comment on attachment 383651 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=383651&action=review > > r=me Oops, didn’t see this landed already.
Jer Noble
Comment 7 2019-11-15 19:55:49 PST
(In reply to David Kilzer (:ddkilzer) from comment #5) > Comment on attachment 383651 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=383651&action=review > > r=me > > > Source/WebCore/Modules/mediasource/SourceBuffer.cpp:805 > > + if (start >= end) > > Wasn’t there a second place where this check could be added that was missing > it? All those places are upstream of here. IOW, a check here checks every call site.
Darin Adler
Comment 8 2019-11-18 09:25:46 PST
Comment on attachment 383651 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383651&action=review > Source/WebCore/ChangeLog:10 > + Speculative fix for rare crash. It's possible that the startTime and endTime inputs to > + removeCodedFrames() are out-of-order, which could lead to iterating off the end of the > + SampleMap. Verify that startTime < endTime and bail out early if not true. If it’s possible, then why are we asserting it’s not true?
Note You need to log in before you can comment on or make changes to this bug.