[webkit-changes] [WebKit/WebKit] 8384c8: Type Confusion in RTCEncodedStreamProducer.cpp Res...

Mon, 15 Jun 2026 16:55:57 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8384c8455e7b5bc40b42c8cc7e9336b519d6cd80
      
https://github.com/WebKit/WebKit/commit/8384c8455e7b5bc40b42c8cc7e9336b519d6cd80
  Author: Youenn Fablet <[email protected]>
  Date:   2026-06-15 (Mon, 15 Jun 2026)

  Changed paths:
    M LayoutTests/http/wpt/webrtc/audio-video-transform.js
    M LayoutTests/http/wpt/webrtc/audiovideo-script-transform-expected.txt
    M LayoutTests/http/wpt/webrtc/audiovideo-script-transform.html
    M Source/WebCore/Modules/mediastream/RTCEncodedStreamProducer.cpp
    M Source/WebCore/Modules/mediastream/RTCEncodedStreamProducer.h
    M Source/WebCore/Modules/mediastream/RTCRtpScriptTransformer.cpp
    M Source/WebCore/Modules/mediastream/RTCRtpTransformableFrame.h

  Log Message:
  -----------
  Type Confusion in RTCEncodedStreamProducer.cpp Results in OOB Read
https://bugs.webkit.org/show_bug.cgi?id=311131
rdar://173718825

Reviewed by Eric Carlson.

We add a check in RTCEncodedStreamProducer::writeFrame that we can only enqueue 
a video frame on a video sender/receiver,
and audio frame on an audio sender/receiver.
We should also allow write frames in a WritableStream that are generated from 
the corresponding ReadableStream.
We add the check in RTCEncodedStreamProducer::writeFrame for 
RTCRtpScriptTransformer and

Covered by updated test.

* LayoutTests/http/wpt/webrtc/audio-video-transform.js:
(AudioVideoRTCRtpTransformer):
(AudioVideoRTCRtpTransformer.prototype.process):
(onrtctransform): Deleted.
* LayoutTests/http/wpt/webrtc/audiovideo-script-transform-expected.txt:
* LayoutTests/http/wpt/webrtc/audiovideo-script-transform.html:
* Source/WebCore/Modules/mediastream/RTCEncodedStreamProducer.cpp:
(WebCore::RTCEncodedStreamProducer::start):
(WebCore::RTCEncodedStreamProducer::enqueueFrame):
(WebCore::RTCEncodedStreamProducer::writeFrame):
* Source/WebCore/Modules/mediastream/RTCEncodedStreamProducer.h:
* Source/WebCore/Modules/mediastream/RTCRtpScriptTransformer.cpp:
(WebCore::RTCRtpScriptTransformer::start):
* Source/WebCore/Modules/mediastream/RTCRtpTransformableFrame.h:
(WebCore::RTCRtpTransformableFrame::isFromTransformer const):
(WebCore::RTCRtpTransformableFrame::setTransformer):

Originally-landed-as: 305413.606@rapid/safari-7624.2.5.110-branch 
(8d45e135c17e). rdar://176061902
Canonical link: https://commits.webkit.org/315256@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to