Google Git
Sign in
chromium / chromium / blink / 177999cdb34b707465670f0feff723922939f278
commit177999cdb34b707465670f0feff723922939f278[log] [tgz]
authorharaken@chromium.org <haraken@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>Wed Oct 09 15:58:29 2013
committerharaken@chromium.org <haraken@chromium.org@bbb929c8-8fbe-4397-9dbb-9b2b20218538>Wed Oct 09 15:58:29 2013
treeef24e74ebefc5bdfb17eb0897ea45e8afa0e8e9b
parent98dc9fc8be976a39a6d07ae664c2a07a06cd938b [diff]
Fix use-after-free in HTMLMediaElement::contextDestroyed

A use-after-free happens in the following scenario:

(1) ~HTMLMediaElement() is called
(2) ~MediaController() is called. But HTMLMediaElement::m_mediaController is not cleared out.
(3) ~Document() is called.
(4) HTMLMediaElement::contextDestroyed() is called. It accesses HTMLMediaElement::m_mediaController.

This CL clears out HTMLMediaElement::m_mediaController in (2) and fixes the issue.

For more details, see a crash report in the bug.

No test, since this bug is just detected in ASAN builds.

BUG=305278

Review URL: https://codereview.chromium.org/26129006

git-svn-id: svn://svn.chromium.org/blink/trunk@159237 bbb929c8-8fbe-4397-9dbb-9b2b20218538
1 file changed
tree: ef24e74ebefc5bdfb17eb0897ea45e8afa0e8e9b
  1. LayoutTests/
  2. ManualTests/
  3. PerformanceTests/
  4. public/
  5. Source/
  6. Tools/
  7. .gitattributes
  8. .gitignore
  9. codereview.settings
  10. OWNERS
  11. PRESUBMIT.py
  12. WATCHLISTS