Clamp the initial vector capacity for active source nodes

In BaseAudioContext::PerformCleanupOnMainThread, a vector is created for active source nodes and then its internal storage is swapped after the inactive source nodes are removed. This speculative fix clamps the capacity of the vector into the range between 0 and the current total active source nodes counts. My guess is in some cases the subtraction of these two unsigned values can be wrapped around to a huge number causing a crash with OOM. Bug: 814108 Change-Id: Id69979119a7d2f44de1be35fc0b27e7b39a6ed06 Reviewed-on: https://chromium-review.googlesource.com/963483 Commit-Queue: Hongchan Choi <hongchan@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Raymond Toy <rtoy@chromium.org> Cr-Commit-Position: refs/heads/master@{#543559}

Clamp the initial vector capacity for active source nodes
In BaseAudioContext::PerformCleanupOnMainThread, a vector is created for active source nodes and then its internal storage is swapped after the inactive source nodes are removed. This speculative fix clamps the capacity of the vector into the range between 0 and the current total active source nodes counts. My guess is in some cases the subtraction of these two unsigned values can be wrapped around to a huge number causing a crash with OOM. Bug: 814108 Change-Id: Id69979119a7d2f44de1be35fc0b27e7b39a6ed06 Reviewed-on: https://chromium-review.googlesource.com/963483 Commit-Queue: Hongchan Choi <hongchan@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Raymond Toy <rtoy@chromium.org> Cr-Commit-Position: refs/heads/master@{#543559}
6292a562 · Hongchan Choi · Commit Bot · 3cb17f99 · 6292a562
Commit 6292a562 authored Mar 16, 2018 by Hongchan Choi Committed by Commit Bot Mar 16, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 8 deletions

third_party/WebKit/Source/modules/webaudio/BaseAudioContext.cpp ...party/WebKit/Source/modules/webaudio/BaseAudioContext.cpp +14 -8

No files found.
--- a/third_party/WebKit/Source/modules/webaudio/BaseAudioContext.cpp
+++ b/third_party/WebKit/Source/modules/webaudio/BaseAudioContext.cpp
@@ -817,16 +817,22 @@ void BaseAudioContext::PerformCleanupOnMainThread() {
      }
    }

-    // Copy over the surviving active nodes.
-    HeapVector<Member<AudioNode>> actives;
-    CHECK_GE(active_source_nodes_.size(), remove_count);
-    actives.ReserveInitialCapacity(active_source_nodes_.size() - remove_count);
-    for (unsigned i = 0; i < removables.size(); ++i) {
-      if (!removables[i])
-        actives.push_back(active_source_nodes_[i]);
+    // Copy over the surviving active nodes after removal.
+    if (remove_count > 0) {
+      HeapVector<Member<AudioNode>> actives;
+      DCHECK_GE(active_source_nodes_.size(), remove_count);
+      size_t initial_capacity =
+          std::min(active_source_nodes_.size() - remove_count,
+                   active_source_nodes_.size());
+      actives.ReserveInitialCapacity(initial_capacity);
+      for (unsigned i = 0; i < removables.size(); ++i) {
+        if (!removables[i])
+          actives.push_back(active_source_nodes_[i]);
+      }
+      active_source_nodes_.swap(actives);
    }
-    active_source_nodes_.swap(actives);
  }
+
  has_posted_cleanup_task_ = false;
 }