third_party/WebKit/Source/modules/vr/VRDisplay.cpp - Issue 2950233002: Validate untrusted VR mojo inputs into browser process

Side by Side Diff: third_party/WebKit/Source/modules/vr/VRDisplay.cpp

Issue 2950233002: Validate untrusted VR mojo inputs into browser process (Closed)

Patch Set: make validation less strict, and fix a bug found with validation Created 3 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2016 The Chromium Authors. All rights reserved.	1 // Copyright 2016 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "modules/vr/VRDisplay.h"	5 #include "modules/vr/VRDisplay.h"

6	6

7 #include "core/css/StylePropertySet.h"	7 #include "core/css/StylePropertySet.h"

8 #include "core/dom/DOMException.h"	8 #include "core/dom/DOMException.h"

9 #include "core/dom/FrameRequestCallback.h"	9 #include "core/dom/FrameRequestCallback.h"

10 #include "core/dom/ScriptedAnimationController.h"	10 #include "core/dom/ScriptedAnimationController.h"

(...skipping 354 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
365 (layer_.rightBounds().size() != 0 && layer_.rightBounds().size() != 4)) {	365 (layer_.rightBounds().size() != 0 && layer_.rightBounds().size() != 4)) {

366 ForceExitPresent();	366 ForceExitPresent();

367 DOMException* exception = DOMException::Create(	367 DOMException* exception = DOMException::Create(

368 kInvalidStateError,	368 kInvalidStateError,

369 "Layer bounds must either be an empty array or have 4 values");	369 "Layer bounds must either be an empty array or have 4 values");

370 resolver->Reject(exception);	370 resolver->Reject(exception);

371 ReportPresentationResult(PresentationResult::kInvalidLayerBounds);	371 ReportPresentationResult(PresentationResult::kInvalidLayerBounds);

372 return promise;	372 return promise;

373 }	373 }

374	374

	375 for (float value : layer_.leftBounds()) {
	mthiesse 2017/07/11 14:52:24 Should move these checks into UpdateLayerBounds(), Should move these checks into UpdateLayerBounds(), and return an error or something so that the caller can reject the promise, as UpdateLayerBounds is called from multiple places. billorr 2017/07/13 00:31:41 It is called from multiple places, but this is the Show quoted text On 2017/07/11 14:52:24, mthiesse wrote: > Should move these checks into UpdateLayerBounds(), and return an error or > something so that the caller can reject the promise, as UpdateLayerBounds is > called from multiple places. It is called from multiple places, but this is the only place we are consuming data from callers - I'd prefer to keep the validation close to where data comes from javascript. This is where other validation of layer_ is performed. Also, we don't call UpdateLayerBounds for a new presentation until BeginPresent, which is after GVR has started up.
	376 if (std::isnan(value)) {

	377 ForceExitPresent();

	378 DOMException* exception = DOMException::Create(

	379 kInvalidStateError, "Layer bounds must not contain NAN values");

	380 resolver->Reject(exception);

	381 ReportPresentationResult(PresentationResult::kInvalidLayerBounds);

	382 return promise;

	383 }

	384 }

	385

	386 for (float value : layer_.rightBounds()) {

	387 if (std::isnan(value)) {

	388 ForceExitPresent();

	389 DOMException* exception = DOMException::Create(

	390 kInvalidStateError, "Layer bounds must not contain NAN values");

	391 resolver->Reject(exception);

	392 ReportPresentationResult(PresentationResult::kInvalidLayerBounds);

	393 return promise;

	394 }

	395 }

	396
	mthiesse 2017/07/11 14:52:24 Also check the width/height to be >= 0 to avoid un Also check the width/height to be >= 0 to avoid unnecessary crashes. billorr 2017/07/13 00:31:41 I removed the size check on the other side. We al Show quoted text On 2017/07/11 14:52:24, mthiesse wrote: > Also check the width/height to be >= 0 to avoid unnecessary crashes. I removed the size check on the other side. We already check for size.width != 0 and size.height != 0. The magic of mojo turns the WebSize into a gfx::size, which will make width and height = 0 if negative.
375 if (!pending_present_resolvers_.IsEmpty()) {	397 if (!pending_present_resolvers_.IsEmpty()) {

376 // If we are waiting on the results of a previous requestPresent call don't	398 // If we are waiting on the results of a previous requestPresent call don't

377 // fire a new request, just cache the resolver and resolve it when the	399 // fire a new request, just cache the resolver and resolve it when the

378 // original request returns.	400 // original request returns.

379 pending_present_resolvers_.push_back(resolver);	401 pending_present_resolvers_.push_back(resolver);

380 } else if (first_present) {	402 } else if (first_present) {

381 bool secure_context =	403 bool secure_context =

382 ExecutionContext::From(script_state)->IsSecureContext();	404 ExecutionContext::From(script_state)->IsSecureContext();

383 if (!display_) {	405 if (!display_) {

384 ForceExitPresent();	406 ForceExitPresent();

(...skipping 305 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
690	712

691 pending_previous_frame_render_ = true;	713 pending_previous_frame_render_ = true;

692 pending_submit_frame_ = true;	714 pending_submit_frame_ = true;

693	715

694 TRACE_EVENT_BEGIN0("gpu", "VRDisplay::SubmitFrame");	716 TRACE_EVENT_BEGIN0("gpu", "VRDisplay::SubmitFrame");

695 vr_presentation_provider_->SubmitFrame(	717 vr_presentation_provider_->SubmitFrame(

696 vr_frame_id_, gpu::MailboxHolder(mailbox, sync_token, GL_TEXTURE_2D));	718 vr_frame_id_, gpu::MailboxHolder(mailbox, sync_token, GL_TEXTURE_2D));

697 TRACE_EVENT_END0("gpu", "VRDisplay::SubmitFrame");	719 TRACE_EVENT_END0("gpu", "VRDisplay::SubmitFrame");

698	720

699 did_submit_this_frame_ = true;	721 did_submit_this_frame_ = true;

	722 // Reset our frame id, since anything we'd want to do (resizing/etc) can

	723 // no-longer happen to this frame.

	724 vr_frame_id_ = -1;

700 // If we were deferring a rAF-triggered vsync request, do this now.	725 // If we were deferring a rAF-triggered vsync request, do this now.

701 RequestVSync();	726 RequestVSync();

702	727

703 // If preserveDrawingBuffer is false, must clear now. Normally this	728 // If preserveDrawingBuffer is false, must clear now. Normally this

704 // happens as part of compositing, but that's not active while	729 // happens as part of compositing, but that's not active while

705 // presenting, so run the responsible code directly.	730 // presenting, so run the responsible code directly.

706 rendering_context_->MarkCompositedAndClearBackbufferIfNeeded();	731 rendering_context_->MarkCompositedAndClearBackbufferIfNeeded();

707 }	732 }

708	733

709 void VRDisplay::OnSubmitFrameTransferred() {	734 void VRDisplay::OnSubmitFrameTransferred() {

(...skipping 278 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
988 visitor->Trace(stage_parameters_);	1013 visitor->Trace(stage_parameters_);

989 visitor->Trace(eye_parameters_left_);	1014 visitor->Trace(eye_parameters_left_);

990 visitor->Trace(eye_parameters_right_);	1015 visitor->Trace(eye_parameters_right_);

991 visitor->Trace(layer_);	1016 visitor->Trace(layer_);

992 visitor->Trace(rendering_context_);	1017 visitor->Trace(rendering_context_);

993 visitor->Trace(scripted_animation_controller_);	1018 visitor->Trace(scripted_animation_controller_);

994 visitor->Trace(pending_present_resolvers_);	1019 visitor->Trace(pending_present_resolvers_);

995 }	1020 }

996	1021

997 } // namespace blink	1022 } // namespace blink

OLD	NEW

« chrome/browser/android/vr_shell/vr_shell_gl.cc ('K') | « chrome/browser/android/vr_shell/vr_shell_gl.cc ('k') | no next file » | no next file with comments »