Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(36)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 26129006: Fix use-after-free in HTMLMediaElement::contextDestroyed (Closed)

Created:
7 years, 2 months ago by haraken
Modified:
7 years, 2 months ago
CC:
blink-reviews, feature-media-reviews_chromium.org, dglazkov+blink, nessy, vcarbune.chromium, adamk+blink_chromium.org
Visibility:
Public.

Description

Fix use-after-free in HTMLMediaElement::contextDestroyed A use-after-free happens in the following scenario: (1) ~HTMLMediaElement() is called (2) ~MediaController() is called. But HTMLMediaElement::m_mediaController is not cleared out. (3) ~Document() is called. (4) HTMLMediaElement::contextDestroyed() is called. It accesses HTMLMediaElement::m_mediaController. This CL clears out HTMLMediaElement::m_mediaController in (2) and fixes the issue. For more details, see a crash report in the bug. No test, since this bug is just detected in ASAN builds. BUG=305278 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=159237

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+3 lines, -1 line) Patch
M Source/core/html/HTMLMediaElement.cpp View 1 chunk +3 lines, -1 line 0 comments Download

Messages

Total messages: 6 (0 generated)
haraken
acolwell: would you take a look?
7 years, 2 months ago (2013-10-09 00:30:10 UTC) #1
acolwell GONE FROM CHROMIUM
On 2013/10/09 00:30:10, haraken wrote: > acolwell: would you take a look? The change looks ...
7 years, 2 months ago (2013-10-09 00:51:40 UTC) #2
haraken
Thanks for reviewing! On 2013/10/09 00:51:40, acolwell wrote: > On 2013/10/09 00:30:10, haraken wrote: > ...
7 years, 2 months ago (2013-10-09 01:47:04 UTC) #3
acolwell GONE FROM CHROMIUM
lgtm
7 years, 2 months ago (2013-10-09 14:53:16 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/haraken@chromium.org/26129006/1
7 years, 2 months ago (2013-10-09 14:53:55 UTC) #5
commit-bot: I haz the power
7 years, 2 months ago (2013-10-09 15:58:31 UTC) #6
Message was sent while issue was closed. 
Change committed as 159237

Powered by Google App Engine
This is Rietveld 408576698