315339 – Fix heap-use-after-free in AudioVideoRendererAVFObjC::setTimeObserver when callback re-entrantly reinstalls the time observer

RESOLVED FIXED315339

Fix heap-use-after-free in AudioVideoRendererAVFObjC::setTimeObserver when callback re-entrantly reinstalls the time observer

https://bugs.webkit.org/show_bug.cgi?id=315339

Summary Fix heap-use-after-free in AudioVideoRendererAVFObjC::setTimeObserver when ca...

Kristian Monsen

Reported 2026-05-21 20:31:23 PDT

Guard m_currentTimeDidChangeCallback against re-entrant replacement during its own invocation by moving it to a stack local via std::exchange, restoring it only if no new callback was installed.

Attachments
Add attachment proposed patch, testcase, etc.

Kristian Monsen

Comment 1 2026-05-21 20:31:25 PDT

<rdar://problem/177666693>

Kristian Monsen

Comment 2 2026-05-21 20:32:45 PDT

Pull request: https://github.com/WebKit/WebKit/pull/65456

Jean-Yves Avenard [:jya]

Comment 3 2026-05-21 22:59:31 PDT

Pull request: https://github.com/WebKit/WebKit/pull/65463

EWS

Comment 4 2026-05-22 00:19:50 PDT

Committed 313715@main (8c860928afff): <https://commits.webkit.org/313715@main> Reviewed commits have been landed. Closing PR #65463 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Media

Assignee

Jean-Yves Avenard [:jya]

Reported

2026-05-21 20:31 PDT

Modified

2026-05-22 00:19 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks