Validate in-process plugin instance messages.

content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/pepper/browser_ppapi_host_impl.h"
 
 #include "base/memory/ptr_util.h"
 #include "base/metrics/histogram_macros.h"
 #include "content/browser/renderer_host/pepper/pepper_message_filter.h"
 #include "content/browser/tracing/trace_message_filter.h"
@@ skipping 130 matching lines @@
     PP_Instance instance) {
   auto it = instance_map_.find(instance);
   if (it == instance_map_.end())
     return false;
   return it->second->renderer_data.is_potentially_secure_plugin_context;
 }
 
 void BrowserPpapiHostImpl::AddInstance(
     PP_Instance instance,
     const PepperRendererInstanceData& renderer_instance_data) {
-  DCHECK(instance_map_.find(instance) == instance_map_.end());
-  instance_map_[instance] =
-      base::MakeUnique<InstanceData>(renderer_instance_data);
+  // NOTE: 'instance' may be coming from a compromised renderer process. We
+  // take care here to make sure an attacker can't overwrite data for an
+  // existing plugin instance.
+  // See http://crbug.com/733548.
+  if (instance_map_.find(instance) == instance_map_.end()) {
+    instance_map_[instance] =
+        base::MakeUnique<InstanceData>(renderer_instance_data);
+  } else {
+    NOTREACHED();
+  }
 }
 
 void BrowserPpapiHostImpl::DeleteInstance(PP_Instance instance) {
+  // NOTE: 'instance' may be coming from a compromised renderer process. We
+  // take care here to make sure an attacker can't cause a UAF by deleting a
+  // non-existent plugin instance.
+  // See http://crbug.com/733548.
   auto it = instance_map_.find(instance);
-  DCHECK(it != instance_map_.end());
+  if (it != instance_map_.end()) {
+    // We need to tell the observers for that instance that we are destroyed
+    // because we won't have the opportunity to once we remove them from the
+    // |instance_map_|. If the instance was deleted, observers for those
+    // instances should never call back into the host anyway, so it is safe to
+    // tell them that the host is destroyed.
+    for (auto& observer : it->second->observer_list)
+      observer.OnHostDestroyed();
 
-  // We need to tell the observers for that instance that we are destroyed
-  // because we won't have the opportunity to once we remove them from the
-  // |instance_map_|. If the instance was deleted, observers for those instances
-  // should never call back into the host anyway, so it is safe to tell them
-  // that the host is destroyed.
-  for (auto& observer : it->second->observer_list)
-    observer.OnHostDestroyed();
-
-  instance_map_.erase(it);
+    instance_map_.erase(it);
+  } else {
+    NOTREACHED();
+  }
 }
 
 void BrowserPpapiHostImpl::AddInstanceObserver(PP_Instance instance,
                                                InstanceObserver* observer) {
   instance_map_[instance]->observer_list.AddObserver(observer);
 }
 
 void BrowserPpapiHostImpl::RemoveInstanceObserver(PP_Instance instance,
                                                   InstanceObserver* observer) {
   auto it = instance_map_.find(instance);
@@ skipping 56 matching lines @@
 
 BrowserPpapiHostImpl::InstanceData::InstanceData(
     const PepperRendererInstanceData& renderer_data)
     : renderer_data(renderer_data), is_throttled(false) {
 }
 
 BrowserPpapiHostImpl::InstanceData::~InstanceData() {
 }
 
 }  // namespace content