Title: [142887] trunk/Source/WebCore
- Revision
- 142887
- Author
- tom...@google.com
- Date
- 2013-02-14 09:47:36 -0800 (Thu, 14 Feb 2013)
Log Message
MediaStream API: RTCDataChannel triggers a use-after-free
https://bugs.webkit.org/show_bug.cgi?id=109806
Reviewed by Adam Barth.
Making sure RTCPeerConnection::stop() is always called at least once.
Also making sure that RTCDataChannels state gets set to Closed correctly.
Hard to test in WebKit but covered by Chromium tests.
* Modules/mediastream/RTCDataChannel.cpp:
(WebCore::RTCDataChannel::stop):
* Modules/mediastream/RTCPeerConnection.cpp:
(WebCore::RTCPeerConnection::~RTCPeerConnection):
(WebCore::RTCPeerConnection::stop):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (142886 => 142887)
--- trunk/Source/WebCore/ChangeLog 2013-02-14 17:38:42 UTC (rev 142886)
+++ trunk/Source/WebCore/ChangeLog 2013-02-14 17:47:36 UTC (rev 142887)
@@ -1,3 +1,21 @@
+2013-02-14 Tommy Widenflycht <tom...@google.com>
+
+ MediaStream API: RTCDataChannel triggers a use-after-free
+ https://bugs.webkit.org/show_bug.cgi?id=109806
+
+ Reviewed by Adam Barth.
+
+ Making sure RTCPeerConnection::stop() is always called at least once.
+ Also making sure that RTCDataChannels state gets set to Closed correctly.
+
+ Hard to test in WebKit but covered by Chromium tests.
+
+ * Modules/mediastream/RTCDataChannel.cpp:
+ (WebCore::RTCDataChannel::stop):
+ * Modules/mediastream/RTCPeerConnection.cpp:
+ (WebCore::RTCPeerConnection::~RTCPeerConnection):
+ (WebCore::RTCPeerConnection::stop):
+
2013-02-14 Vsevolod Vlasov <vse...@chromium.org>
Web Inspector: [Regression] When several consecutive characters are typed each of them is marked as undoable state.
Modified: trunk/Source/WebCore/Modules/mediastream/RTCDataChannel.cpp (142886 => 142887)
--- trunk/Source/WebCore/Modules/mediastream/RTCDataChannel.cpp 2013-02-14 17:38:42 UTC (rev 142886)
+++ trunk/Source/WebCore/Modules/mediastream/RTCDataChannel.cpp 2013-02-14 17:47:36 UTC (rev 142887)
@@ -243,6 +243,7 @@
void RTCDataChannel::stop()
{
m_stopped = true;
+ m_readyState = ReadyStateClosed;
m_handler->setClient(0);
m_scriptExecutionContext = 0;
}
Modified: trunk/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp (142886 => 142887)
--- trunk/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp 2013-02-14 17:38:42 UTC (rev 142886)
+++ trunk/Source/WebCore/Modules/mediastream/RTCPeerConnection.cpp 2013-02-14 17:47:36 UTC (rev 142887)
@@ -162,6 +162,7 @@
RTCPeerConnection::~RTCPeerConnection()
{
+ stop();
}
void RTCPeerConnection::createOffer(PassRefPtr<RTCSessionDescriptionCallback> successCallback, PassRefPtr<RTCErrorCallback> errorCallback, const Dictionary& mediaConstraints, ExceptionCode& ec)
@@ -590,6 +591,9 @@
void RTCPeerConnection::stop()
{
+ if (m_stopped)
+ return;
+
m_stopped = true;
m_iceConnectionState = IceConnectionStateClosed;
m_signalingState = SignalingStateClosed;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
