Add new MouseCursor interface for setting the mouse cursor.

ppapi/shared_impl/ppb_instance_shared.cc

Index: ppapi/shared_impl/ppb_instance_shared.cc
diff --git a/ppapi/shared_impl/ppb_instance_shared.cc b/ppapi/shared_impl/ppb_instance_shared.cc
index 7e931c303b94b93ab2173e610514febcf5e8946b..255a92e3eccd4ef43d904e800448ca9c621fdcd5 100644
--- a/ppapi/shared_impl/ppb_instance_shared.cc
+++ b/ppapi/shared_impl/ppb_instance_shared.cc
@@ -9,7 +9,10 @@
 #include "ppapi/c/pp_errors.h"
 #include "ppapi/c/ppb_input_event.h"
 #include "ppapi/shared_impl/ppapi_globals.h"
+#include "ppapi/shared_impl/ppb_image_data_shared.h"
 #include "ppapi/shared_impl/var.h"
+#include "ppapi/thunk/enter.h"
+#include "ppapi/thunk/ppb_image_data_api.h"
 
 namespace ppapi {
 
@@ -52,4 +55,44 @@ int32_t PPB_Instance_Shared::ValidateRequestInputEvents(
   return PP_OK;
 }
 
+bool PPB_Instance_Shared::ValidateSetCursorParams(PP_MouseCursor_Type type,
+                                                  PP_Resource image,
+                                                  const PP_Point* hot_spot) {
+  if (static_cast<int>(type) < static_cast<int>(PP_MOUSECURSOR_TYPE_CUSTOM) ||
+      static_cast<int>(type) > static_cast<int>(PP_MOUSECURSOR_TYPE_GRABBING))

[dmichael (off chromium), 2012/03/26 17:43:17]

optional: You could stick a "PP_MOUSECURSOR_TYPE_MAX" (or _END or whatever) on
the end of the list of enum values if you want this to be less arbitrary.

+    return false;  // Cursor type out of range.
+  if (type != PP_MOUSECURSOR_TYPE_CUSTOM) {
+    // The image must not be specified if the type isn't custom. However, we
+    // don't require that the hot spot be null since the C++ wrappers and proxy
+    // pass the point by reference and it will normally be specified.
+    return image == 0;
+  }
+
+  if (!hot_spot)
+    return false;  // Hot spot must be specified for custom cursor.
+
+  thunk::EnterResourceNoLock<thunk::PPB_ImageData_API> enter(image, true);
+  if (enter.failed())
+    return false;  // Invalid image resource.
+
+  // Validate the image size. A giant cursor can arbitrarily overwrite parts
+  // of the screen resulting in potential spoofing attacks. So we force the
+  // cursor to be a reasonably-sized image.

[dmichael (off chromium), 2012/03/26 17:43:17]

Is there any way for the image to change size to be bigger in the renderer while
we still think it's small enough in the plugin process?

I'm thinking not (size is immutable for a given ImageData, right?), but since
it's security-relevant, I figured it was worth asking.

[brettw, 2012/03/27 05:17:19]

No, image datas can't change sizes so we should be OK.

+  PP_ImageDataDesc desc;
+  if (!PP_ToBool(enter.object()->Describe(&desc)))
+    return false;
+  if (desc.size.width > 32 || desc.size.height > 32)
+    return false;
+
+  // Validate image format.
+  if (desc.format != PPB_ImageData_Shared::GetNativeImageDataFormat())
+    return false;
+
+  // Validate the hot spot location.
+  if (hot_spot->x < 0 || hot_spot->x >= desc.size.width ||
+      hot_spot->y < 0 || hot_spot->y >= desc.size.height)
+    return false;
+  return true;
+}
+
 }  // namespace ppapi