Bug 1312958 - Part 2: Only delete the trackinfo object once the decoder has been shutdown. r=gerald, a=ritu
authorJean-Yves Avenard <jyavenard@mozilla.com>
Wed, 26 Oct 2016 20:13:44 +1100
changeset 350805 0be0106a7b60f75e9fe360f8a9b6726de9393194
parent 350804 c48392808bf05ecbe64356b9d95832203373cc45
child 350806 099f27b5df3575ffe27aab8ec32f0b13d562e04c
push id1230
push userjlund@mozilla.com
push dateMon, 31 Oct 2016 18:13:35 +0000
treeherdermozilla-release@5e06e3766db2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgerald, ritu
bugs1312958
milestone50.0
Bug 1312958 - Part 2: Only delete the trackinfo object once the decoder has been shutdown. r=gerald, a=ritu While it's unlikely to have been a problem as the decoder would have been idled at this stage. During the time the TrackInfo was reset and the decoder actually be shut down, the reference to the object would have been invalid causing a potential UAF. MozReview-Commit-ID: 7pGJtYRy2Yr
dom/media/MediaFormatReader.cpp
--- a/dom/media/MediaFormatReader.cpp
+++ b/dom/media/MediaFormatReader.cpp
@@ -999,23 +999,23 @@ MediaFormatReader::HandleDemuxedSamples(
         decoder.mNextStreamSourceID = Some(info->GetID());
         ScheduleUpdate(aTrack);
         return;
       }
 
       LOG("%s stream id has changed from:%d to:%d, recreating decoder.",
           TrackTypeToStr(aTrack), decoder.mLastStreamSourceID,
           info->GetID());
-      decoder.mInfo = info;
       decoder.mLastStreamSourceID = info->GetID();
       decoder.mNextStreamSourceID.reset();
       // Reset will clear our array of queued samples. So make a copy now.
       nsTArray<RefPtr<MediaRawData>> samples{decoder.mQueuedSamples};
       Reset(aTrack);
       decoder.ShutdownDecoder();
+      decoder.mInfo = info;
       if (sample->mKeyframe) {
         decoder.mQueuedSamples.AppendElements(Move(samples));
         NotifyDecodingRequested(aTrack);
       } else {
         TimeInterval time =
           TimeInterval(TimeUnit::FromMicroseconds(sample->mTime),
                        TimeUnit::FromMicroseconds(sample->GetEndTime()));
         InternalSeekTarget seekTarget =