DescriptionFix use-after-free in HTMLMediaElement::contextDestroyed
A use-after-free happens in the following scenario:
(1) ~HTMLMediaElement() is called
(2) ~MediaController() is called. But HTMLMediaElement::m_mediaController is not cleared out.
(3) ~Document() is called.
(4) HTMLMediaElement::contextDestroyed() is called. It accesses HTMLMediaElement::m_mediaController.
This CL clears out HTMLMediaElement::m_mediaController in (2) and fixes the issue.
For more details, see a crash report in the bug.
No test, since this bug is just detected in ASAN builds.
BUG=305278
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=159237
Patch Set 1 #
Messages
Total messages: 6 (0 generated)
|