From fea69fe34f5fc6c5ba71074b5be3e07184667fed Mon Sep 17 00:00:00 2001
From: Kilik Kuo <kikuo@mozilla.com>
Date: Tue, 28 Nov 2017 23:06:34 +0800
Subject: [PATCH] Bug 1419897 - Crash in
 mozilla::dom::HTMLMediaElement::RemoveMediaKeys. r=jwwang The process of
 |TryRemoveMediaKeysAssociation()| is a 2-step async procedue in mainthread.
 mMediaKeys might be set to null inside |NotifyOwnerDocumentActivityChanged()|
 in between |TryRemoveMediaKeysAssociation| and |RemoveMediaKeys|.

MozReview-Commit-ID: HtiADt3UTvp

--HG--
extra : rebase_source : 9eff95040b3e900fb778187e4e432bce0b41396b
---
 dom/html/HTMLMediaElement.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp
index c25359536eb2..2a617e6f8965 100644
--- a/dom/html/HTMLMediaElement.cpp
+++ b/dom/html/HTMLMediaElement.cpp
@@ -7136,7 +7136,9 @@ HTMLMediaElement::RemoveMediaKeys()
   LOG(LogLevel::Debug, ("%s", __func__));
   // 5.2.3 Stop using the CDM instance represented by the mediaKeys attribute
   // to decrypt media data and remove the association with the media element.
-  mMediaKeys->Unbind();
+  if (mMediaKeys) {
+    mMediaKeys->Unbind();
+  }
   mMediaKeys = nullptr;
 }