If an event is created using as target an HTMLMediaElement which is
currently being deleted it becomes a heap-use-after free situation.

The GenericEventQueue instance is already owned by the HTMLMediaElement,
and there already is an underlying mechanism to set the target of the
event to NULL, if their target is owner of the queue.

In order to avoid creating this reference in the first place, we enqueue
the event with a NULL target to defer the refcount increment until the
timer for dispatching the event happens (which won't happen at all if
garbage collection is already destroying the objects).


Review URL: https://chromiumcodereview.appspot.com/15739014

git-svn-id: svn://svn.chromium.org/blink/trunk@151692 bbb929c8-8fbe-4397-9dbb-9b2b20218538
4 files changed