Add a hard limit for Flash JIT pages

webkit/plugins/npapi/webplugin_delegate_impl_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "webkit/plugins/npapi/webplugin_delegate_impl.h"
 
 #include <map>
 #include <string>
 #include <vector>
 
@@ skipping 130 matching lines @@
                                           SIZE_T size,
                                           DWORD new_protect,
                                           PDWORD old_protect);
 
 base::LazyInstance<base::win::IATPatchFunction> g_iat_patch_virtual_free =
     LAZY_INSTANCE_INITIALIZER;
 BOOL (WINAPI *g_iat_orig_virtual_free)(LPVOID address,
                                        SIZE_T size,
                                        DWORD free_type);
 
-const size_t kMaxPluginExecMemSize = 64 * 1024 * 1024;  // 64mb.
+const size_t kMaxPluginExecMemSize = 16 * 1024 * 1024;  // 16mb.
 const DWORD kExecPageMask = PAGE_EXECUTE | PAGE_EXECUTE_READ |
                             PAGE_EXECUTE_READWRITE;
 static volatile intptr_t g_max_exec_mem_size;
 static intptr_t g_exec_mem_size = 0;
 static scoped_ptr<base::Lock> g_exec_mem_lock;
 
 size_t UpdateExecMemSize(intptr_t size) {
   base::AutoLock locked(*g_exec_mem_lock);
   g_exec_mem_size += size;
   // Floor to zero since shutdown may unmap pages created before our hooks.
   if (g_exec_mem_size < 0)
     g_exec_mem_size = 0;
   if (g_exec_mem_size > g_max_exec_mem_size)
     g_max_exec_mem_size = g_exec_mem_size;
 
   return g_exec_mem_size;
 }
 
+// Throw a unique exception when the JIT limit is hit.
+inline void RaiseJITException() {
+  static const ULONG parameters[] = {1, 0xabad1dea /* 2880249322 */ };
+  ::RaiseException(EXCEPTION_ACCESS_VIOLATION, EXCEPTION_NONCONTINUABLE,
+                   2, parameters);

[cpu_(ooo_6.6-7.5), 2012/02/23 01:06:10]

instead of 2 use arraysize of whatever it is called

+}
+
 // http://crbug.com/16114
 // Enforces providing a valid device context in NPWindow, so that NPP_SetWindow
 // is never called with NPNWindoTypeDrawable and NPWindow set to NULL.
 // Doing so allows removing NPP_SetWindow call during painting a windowless
 // plugin, which otherwise could trigger layout change while painting by
 // invoking NPN_Evaluate. Which would cause bad, bad crashes. Bad crashes.
 // TODO(dglazkov): If this approach doesn't produce regressions, move class to
 // webplugin_delegate_impl.h and implement for other platforms.
 class DrawableContextEnforcer {
  public:
@@ skipping 170 matching lines @@
 // We need to track RX memory usage in plugins to prevent JIT spraying attacks.
 // This is done by hooking VirtualAlloc, VirtualProtect, and VirtualFree.
 LPVOID WINAPI WebPluginDelegateImpl::VirtualAllocPatch(LPVOID address,
                                                        SIZE_T size,
                                                        DWORD allocation_type,
                                                        DWORD protect) {
   void* p = g_iat_orig_virtual_alloc(address, size, allocation_type, protect);
   if (size && p && (protect & kExecPageMask)) {
     bool limit_exceeded = UpdateExecMemSize(static_cast<intptr_t>(size)) >
                           kMaxPluginExecMemSize;
-#ifndef NDEBUG  // TODO(jschuh): Do this in release after we get numbers.
     if (limit_exceeded)
-      ::DebugBreak();
-#endif
+      RaiseJITException();
   }
   return p;
 }
 
 BOOL WINAPI WebPluginDelegateImpl::VirtualProtectPatch(LPVOID address,
                                                        SIZE_T size,
                                                        DWORD new_protect,
                                                        PDWORD old_protect) {
   if (g_iat_orig_virtual_protect(address, size, new_protect, old_protect)) {
     bool is_exec = !!(new_protect & kExecPageMask);
     bool was_exec = !!(*old_protect & kExecPageMask);
     if (is_exec && !was_exec) {
       bool limit_exceeded = UpdateExecMemSize(static_cast<intptr_t>(size)) >
                             kMaxPluginExecMemSize;
-#ifndef NDEBUG  // TODO(jschuh): Do this in release after we get numbers.
       if (limit_exceeded)
-        ::DebugBreak();
-#endif
+        RaiseJITException();
     } else if (!is_exec && was_exec) {
       UpdateExecMemSize(-(static_cast<intptr_t>(size)));
     }
 
     return TRUE;
   }
 
   return FALSE;
 }
 
@@ skipping 1310 matching lines @@
       ::ReleaseCapture();
       break;
 
     default:
       break;
   }
 }
 
 }  // namespace npapi
 }  // namespace webkit