Fix use-after-free in HTMLMediaElement::contextDestroyed
A use-after-free happens in the following scenario:
(1) ~HTMLMediaElement() is called
(2) ~MediaController() is called. But HTMLMediaElement::m_mediaController is not cleared out.
(3) ~Document() is called.
(4) HTMLMediaElement::contextDestroyed() is called. It accesses HTMLMediaElement::m_mediaController.
This CL clears out HTMLMediaElement::m_mediaController in (2) and fixes the issue.
For more details, see a crash report in the bug.
No test, since this bug is just detected in ASAN builds.
BUG=305278
Review URL: https://codereview.chromium.org/26129006
git-svn-id: svn://svn.chromium.org/blink/trunk@159237 bbb929c8-8fbe-4397-9dbb-9b2b20218538
1 file changed