264119 – [GStreamer] MediaPlayerPrivateGStreamer stores refcounted AudioSourceProviderGStreamer in a std::unique_ptr

Bug 264119 - [GStreamer] MediaPlayerPrivateGStreamer stores refcounted AudioSourceProviderGStreamer in a std::unique_ptr

Summary: [GStreamer] MediaPlayerPrivateGStreamer stores refcounted AudioSourceProvider...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Media (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Michael Catanzaro

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-11-02 17:00 PDT by Michael Catanzaro
Modified:	2023-11-06 07:31 PST (History)
CC List:	5 users (show)

See Also:	261280 261224

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2023-11-02 17:00:34 PDT

The static assertion added in bug #261280 reveals that MediaPlayerPrivateGStreamer stores AudioSourceProviderGStreamer in a std::unique_ptr. This is unsafe because AudioSourceProviderGStreamer is refcounted and should not be deleted while a ref is outstanding.

Comment 1 Radar WebKit Bug Importer 2023-11-02 17:00:46 PDT

<rdar://problem/117881093>

Comment 2 Michael Catanzaro 2023-11-02 17:29:24 PDT

This is a security bug, but the flaw is public on the 2.42 branch already since I needed to fix this for the 2.42.2 release, so no point in using the security fork for a pull request. Our scripts don't allow creating public pull requests against security bugs anymore, so changing product/component accordingly.

Comment 3 Michael Catanzaro 2023-11-02 17:29:58 PDT

Pull request: https://github.com/WebKit/WebKit/pull/19920

Comment 4 EWS 2023-11-06 07:31:00 PST

Committed 270266@main (0f803ec2d5e6): <https://commits.webkit.org/270266@main>

Reviewed commits have been landed. Closing PR #19920 and removing active labels.