Bug 264119

Summary: [GStreamer] MediaPlayerPrivateGStreamer stores refcounted AudioSourceProviderGStreamer in a std::unique_ptr
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: MediaAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, bugs-noreply, mcatanzaro, philn, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=261280
https://bugs.webkit.org/show_bug.cgi?id=261224

Description Michael Catanzaro 2023-11-02 17:00:34 PDT 
The static assertion added in bug #261280 reveals that MediaPlayerPrivateGStreamer stores AudioSourceProviderGStreamer in a std::unique_ptr. This is unsafe because AudioSourceProviderGStreamer is refcounted and should not be deleted while a ref is outstanding.
Comment 1 Radar WebKit Bug Importer 2023-11-02 17:00:46 PDT 
<rdar://problem/117881093>
Comment 2 Michael Catanzaro 2023-11-02 17:29:24 PDT 
This is a security bug, but the flaw is public on the 2.42 branch already since I needed to fix this for the 2.42.2 release, so no point in using the security fork for a pull request. Our scripts don't allow creating public pull requests against security bugs anymore, so changing product/component accordingly.
Comment 3 Michael Catanzaro 2023-11-02 17:29:58 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/19920
Comment 4 EWS 2023-11-06 07:31:00 PST 
Committed 270266@main (0f803ec2d5e6): <https://commits.webkit.org/270266@main>

Reviewed commits have been landed. Closing PR #19920 and removing active labels.