Signal extension API schema corruption to the browser process.

extensions/browser/extension_message_filter.cc

Index: extensions/browser/extension_message_filter.cc
diff --git a/extensions/browser/extension_message_filter.cc b/extensions/browser/extension_message_filter.cc
index 6bdfac024e5f755f20880373371f1b489ddc93e1..f772df0f454575c20ac7a64e1aea67f0e284c79e 100644
--- a/extensions/browser/extension_message_filter.cc
+++ b/extensions/browser/extension_message_filter.cc
@@ -18,6 +18,7 @@
 #include "extensions/browser/process_manager_factory.h"
 #include "extensions/browser/process_map.h"
 #include "extensions/common/extension.h"
+#include "extensions/common/extension_api.h"
 #include "extensions/common/extension_messages.h"
 #include "extensions/common/manifest_handlers/background_info.h"
 #include "ipc/ipc_message_macros.h"
@@ -134,6 +135,8 @@ bool ExtensionMessageFilter::OnMessageReceived(const IPC::Message& message) {
                         OnExtensionTransferBlobsAck)
     IPC_MESSAGE_HANDLER(ExtensionHostMsg_WakeEventPage,
                         OnExtensionWakeEventPage)
+    IPC_MESSAGE_HANDLER(ExtensionHostMsg_NotifyBadExtensionApiSchema,
+                        OnExtensionNotifyBadExtensionApiSchema)
     IPC_MESSAGE_UNHANDLED(handled = false)
   IPC_END_MESSAGE_MAP()
   return handled;
@@ -318,4 +321,24 @@ void ExtensionMessageFilter::SendWakeEventPageResponse(int request_id,
   Send(new ExtensionMsg_WakeEventPageResponse(request_id, success));
 }
 
+void ExtensionMessageFilter::OnExtensionNotifyBadExtensionApiSchema(
+    const std::string& full_name) {
+  ExtensionAPI* extension_api = ExtensionAPI::GetSharedInstance();
+
+  // Try to resolve the full name; if we can't then the renderer sent a
+  // bogus name.
+  std::string api_name =
+      extension_api->GetAPINameFromFullName(full_name, nullptr);
+  if (api_name.empty()) {
+    ShutdownForBadMessage();
+    return;
+  }
+
+  // API name is valid, so check that we can parse the schema.

[Devlin, 2016/08/20 01:49:39]

I'd add to this comment to indicate that we *expect* this to fail in any
non-compromised state.

[Wez, 2016/08/21 00:58:41]

Done.

+  CHECK(extension_api->GetSchema(api_name));
+
+  // Schema looks valid to the browser, so renderer must be at fault.
+  ShutdownForBadMessage();
+}
+
 }  // namespace extensions