Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(897)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/renderer/dom_storage/dom_storage_dispatcher.cc

Issue 2843303002: DOMStorage: Better defend against a tight loop maliciously using the API. (Closed)
Patch Set: 1000000 limit Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/renderer/dom_storage/dom_storage_dispatcher.h" 5 #include "content/renderer/dom_storage/dom_storage_dispatcher.h"
6 6
7 #include <list> 7 #include <list>
8 #include <map> 8 #include <map>
9 9
10 #include "base/strings/string_number_conversions.h" 10 #include "base/strings/string_number_conversions.h"
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after
132 int open_count_; 132 int open_count_;
133 CachedAreaHolder() : open_count_(0) {} 133 CachedAreaHolder() : open_count_(0) {}
134 CachedAreaHolder(DOMStorageCachedArea* area, int count) 134 CachedAreaHolder(DOMStorageCachedArea* area, int count)
135 : area_(area), open_count_(count) {} 135 : area_(area), open_count_(count) {}
136 }; 136 };
137 typedef std::map<std::string, CachedAreaHolder> CachedAreaMap; 137 typedef std::map<std::string, CachedAreaHolder> CachedAreaMap;
138 typedef std::list<CompletionCallback> CallbackList; 138 typedef std::list<CompletionCallback> CallbackList;
139 139
140 ~ProxyImpl() override {} 140 ~ProxyImpl() override {}
141 141
142 // Sudden termination is disabled when there are callbacks pending
143 // to more reliably commit changes during shutdown.
144 void PushPendingCallback(const CompletionCallback& callback) { 142 void PushPendingCallback(const CompletionCallback& callback) {
143 // Terminate the renderer if an excessive number of calls are made,
144 // This is indicative of script in an infinite loop or being malicious.
145 // It's better to crash intentionally than by running the system OOM
146 // and interfering with everything else running in the system.
147 const int kMaxPendingCompletionCallbacks = 1000000;
148 if (pending_callbacks_.size() > kMaxPendingCompletionCallbacks)
149 CHECK(false) << "Too many pending DOMStorage calls.";
150
151 // Sudden termination is disabled when there are callbacks pending
152 // to more reliably commit changes during shutdown.
145 if (pending_callbacks_.empty()) 153 if (pending_callbacks_.empty())
146 blink::Platform::Current()->SuddenTerminationChanged(false); 154 blink::Platform::Current()->SuddenTerminationChanged(false);
147 pending_callbacks_.push_back(callback); 155 pending_callbacks_.push_back(callback);
148 } 156 }
149 157
150 CompletionCallback PopPendingCallback() { 158 CompletionCallback PopPendingCallback() {
151 CompletionCallback callback = pending_callbacks_.front(); 159 CompletionCallback callback = pending_callbacks_.front();
152 pending_callbacks_.pop_front(); 160 pending_callbacks_.pop_front();
153 if (pending_callbacks_.empty()) 161 if (pending_callbacks_.empty())
154 blink::Platform::Current()->SuddenTerminationChanged(true); 162 blink::Platform::Current()->SuddenTerminationChanged(true);
(...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after
326 params.page_url, session_namespace_for_event_dispatch, 334 params.page_url, session_namespace_for_event_dispatch,
327 originating_area); 335 originating_area);
328 } 336 }
329 } 337 }
330 338
331 void DomStorageDispatcher::OnAsyncOperationComplete(bool success) { 339 void DomStorageDispatcher::OnAsyncOperationComplete(bool success) {
332 proxy_->CompleteOnePendingCallback(success); 340 proxy_->CompleteOnePendingCallback(success);
333 } 341 }
334 342
335 } // namespace content 343 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698