Fix potential null pointer access in HTMLMediaElement::seek

third_party/WebKit/Source/core/html/HTMLMediaElement.cpp

Index: third_party/WebKit/Source/core/html/HTMLMediaElement.cpp
diff --git a/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp b/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp
index 06d4a93b6dfca9cb3d42b26427ecb7be2d3f6673..04d10611fb241714d8dd10d4c432a4b93c0a03d1 100644
--- a/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp
+++ b/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp
@@ -1721,7 +1721,7 @@ void HTMLMediaElement::seek(double time)
     // time scale, we will ask the media engine to "seek" to the current movie time, which may be a noop and
     // not generate a timechanged callback. This means m_seeking will never be cleared and we will never
     // fire a 'seeked' event.
-    double mediaTime = webMediaPlayer()->mediaTimeForTimeValue(time);
+    double mediaTime = webMediaPlayer() ? webMediaPlayer()->mediaTimeForTimeValue(time) : 0.0;
     if (time != mediaTime) {
         WTF_LOG(Media, "HTMLMediaElement::seek(%p, %f) - media timeline equivalent is %f", this, time, mediaTime);
         time = mediaTime;
@@ -1733,7 +1733,7 @@ void HTMLMediaElement::seek(double time)
     // attribute then set the seeking IDL attribute to false and abort these steps.
     TimeRanges* seekableRanges = seekable();
 
-    if (!seekableRanges->length()) {
+    if (!webMediaPlayer() || !seekableRanges->length()) {
         m_seeking = false;
         return;
     }
@@ -2137,14 +2137,16 @@ void HTMLMediaElement::pauseInternal()
 void HTMLMediaElement::requestRemotePlayback()
 {
     ASSERT(m_remoteRoutesAvailable);
-    webMediaPlayer()->requestRemotePlayback();
+    if (webMediaPlayer())

[philipj_slow, 2016/04/06 15:08:01]

Have you seen a crash here? I'd like to avoid spreading the hack any further
than necessary, so the same question applies below too.

[pavor, 2016/05/12 12:03:36]

I have only seen a crash inside seek. Because I haven't figured out the reason,
and there is a lot of discrepancy in the rest of the file whether to check it or
not, and even how to access m_webMediaPlayer pointer (directly as a field or
with webMediaPlayer()), I decided to leave without checks only
WebMediaPlayerClient overrides, which appear to be called from webMediaPlayer
itself.

[liberato (no reviews please), 2016/05/18 17:27:54]

do you see these crashes only on android?  can you tell if the player is src= or
mse?

some non-trivial work happens in WebMediaPlayerAndroid's (WMPA) destructor.  it
notifies |media_source_delegate_| to stop, which in turn does things like talks
to the MSE demuxer.  If some callback into WMPA happens during that process,
such as UpdateReadyState, then i could see WMPA calling back into
HTMLMediaElement and resetting the ready state.

however, that's all conjecture on my part.  i have no idea if those callbacks
happen, or if the ready state is reset in HTMLMediaElement before or after the
media player is cleared.

destroying the weak refs explicitly in WMPA::~WMPA would prevent it, if that's
true.

+        webMediaPlayer()->requestRemotePlayback();
     Platform::current()->recordAction(UserMetricsAction("Media_RequestRemotePlayback"));
 }
 
 void HTMLMediaElement::requestRemotePlaybackControl()
 {
     ASSERT(m_remoteRoutesAvailable);
-    webMediaPlayer()->requestRemotePlaybackControl();
+    if (webMediaPlayer())
+        webMediaPlayer()->requestRemotePlaybackControl();
     Platform::current()->recordAction(UserMetricsAction("Media_RequestRemotePlayback_Control"));
 }
 
@@ -2353,7 +2355,8 @@ void HTMLMediaElement::audioTracksTimerFired(Timer<HTMLMediaElement>*)
             enabledTrackIds.append(track->trackId());
     }
 
-    webMediaPlayer()->enabledAudioTracksChanged(enabledTrackIds);
+    if (webMediaPlayer())
+        webMediaPlayer()->enabledAudioTracksChanged(enabledTrackIds);
 }
 
 WebMediaPlayer::TrackId HTMLMediaElement::addAudioTrack(const WebString& id, WebMediaPlayerClient::AudioTrackKind kind, const WebString& label, const WebString& language, bool enabled)
@@ -2397,7 +2400,8 @@ void HTMLMediaElement::selectedVideoTrackChanged(WebMediaPlayer::TrackId* select
 
     // FIXME: Add call on m_mediaSource to notify it of track changes once the SourceBuffer.videoTracks attribute is added.
 
-    webMediaPlayer()->selectedVideoTrackChanged(selectedTrackId);
+    if (webMediaPlayer())
+        webMediaPlayer()->selectedVideoTrackChanged(selectedTrackId);
 }
 
 WebMediaPlayer::TrackId HTMLMediaElement::addVideoTrack(const WebString& id, WebMediaPlayerClient::VideoTrackKind kind, const WebString& label, const WebString& language, bool selected)