Potential use-after-free with an event fired at a HTMLMediaElement which is currently being deleted

https://bugs.webkit.org/show_bug.cgi?id=117466

Reviewed by Oliver Hunt.

Merge https://chromium.googlesource.com/chromium/blink/+/f4200a0093b3d9376f703961615359ec7fb712b4

If an event is created using as target an HTMLMediaElement which is
currently being deleted it becomes a heap-use-after free situation.

The GenericEventQueue instance is already owned by the HTMLMediaElement,
and there already is an underlying mechanism to set the target of the
event to NULL, if their target is owner of the queue.

In order to avoid creating this reference in the first place, we enqueue
the event with a NULL target to defer the refcount increment until the
timer for dispatching the event happens (which won't happen at all if
garbage collection is already destroying the objects).

Source/WebCore:

Test: media/track/media-element-enqueue-event-crash.html

* dom/GenericEventQueue.cpp:
(WebCore::GenericEventQueue::enqueueEvent): Don't ASSERT if the event has no target.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement): Close the event queue so it won't try to
    dispatch any pending events.
(WebCore::HTMLMediaElement::scheduleEvent): Don't set the event target, it will happen just
    prior to event dispatch.
(WebCore::HTMLMediaElement::stop): Close the event queue.

Change-Id: I2b17e9080516036d2a271b204d0925a1a3fb2930
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@151600 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

0 files changed, 0 insertions, 0 deletions