OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/renderer_host/pepper/browser_ppapi_host_impl.h" | 5 #include "content/browser/renderer_host/pepper/browser_ppapi_host_impl.h" |
6 | 6 |
7 #include "base/memory/ptr_util.h" | 7 #include "base/memory/ptr_util.h" |
8 #include "base/metrics/histogram_macros.h" | 8 #include "base/metrics/histogram_macros.h" |
9 #include "content/browser/renderer_host/pepper/pepper_message_filter.h" | 9 #include "content/browser/renderer_host/pepper/pepper_message_filter.h" |
10 #include "content/browser/tracing/trace_message_filter.h" | 10 #include "content/browser/tracing/trace_message_filter.h" |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
141 PP_Instance instance) { | 141 PP_Instance instance) { |
142 auto it = instance_map_.find(instance); | 142 auto it = instance_map_.find(instance); |
143 if (it == instance_map_.end()) | 143 if (it == instance_map_.end()) |
144 return false; | 144 return false; |
145 return it->second->renderer_data.is_potentially_secure_plugin_context; | 145 return it->second->renderer_data.is_potentially_secure_plugin_context; |
146 } | 146 } |
147 | 147 |
148 void BrowserPpapiHostImpl::AddInstance( | 148 void BrowserPpapiHostImpl::AddInstance( |
149 PP_Instance instance, | 149 PP_Instance instance, |
150 const PepperRendererInstanceData& renderer_instance_data) { | 150 const PepperRendererInstanceData& renderer_instance_data) { |
151 DCHECK(instance_map_.find(instance) == instance_map_.end()); | 151 // NOTE: 'instance' may be coming from a compromised renderer process. We |
152 instance_map_[instance] = | 152 // take care here to make sure an attacker can't overwrite data for an |
153 base::MakeUnique<InstanceData>(renderer_instance_data); | 153 // existing plugin instance. |
| 154 // See http://crbug.com/733548. |
| 155 if (instance_map_.find(instance) == instance_map_.end()) { |
| 156 instance_map_[instance] = |
| 157 base::MakeUnique<InstanceData>(renderer_instance_data); |
| 158 } else { |
| 159 NOTREACHED(); |
| 160 } |
154 } | 161 } |
155 | 162 |
156 void BrowserPpapiHostImpl::DeleteInstance(PP_Instance instance) { | 163 void BrowserPpapiHostImpl::DeleteInstance(PP_Instance instance) { |
| 164 // NOTE: 'instance' may be coming from a compromised renderer process. We |
| 165 // take care here to make sure an attacker can't cause a UAF by deleting a |
| 166 // non-existent plugin instance. |
| 167 // See http://crbug.com/733548. |
157 auto it = instance_map_.find(instance); | 168 auto it = instance_map_.find(instance); |
158 DCHECK(it != instance_map_.end()); | 169 if (it != instance_map_.end()) { |
| 170 // We need to tell the observers for that instance that we are destroyed |
| 171 // because we won't have the opportunity to once we remove them from the |
| 172 // |instance_map_|. If the instance was deleted, observers for those |
| 173 // instances should never call back into the host anyway, so it is safe to |
| 174 // tell them that the host is destroyed. |
| 175 for (auto& observer : it->second->observer_list) |
| 176 observer.OnHostDestroyed(); |
159 | 177 |
160 // We need to tell the observers for that instance that we are destroyed | 178 instance_map_.erase(it); |
161 // because we won't have the opportunity to once we remove them from the | 179 } else { |
162 // |instance_map_|. If the instance was deleted, observers for those instances | 180 NOTREACHED(); |
163 // should never call back into the host anyway, so it is safe to tell them | 181 } |
164 // that the host is destroyed. | |
165 for (auto& observer : it->second->observer_list) | |
166 observer.OnHostDestroyed(); | |
167 | |
168 instance_map_.erase(it); | |
169 } | 182 } |
170 | 183 |
171 void BrowserPpapiHostImpl::AddInstanceObserver(PP_Instance instance, | 184 void BrowserPpapiHostImpl::AddInstanceObserver(PP_Instance instance, |
172 InstanceObserver* observer) { | 185 InstanceObserver* observer) { |
173 instance_map_[instance]->observer_list.AddObserver(observer); | 186 instance_map_[instance]->observer_list.AddObserver(observer); |
174 } | 187 } |
175 | 188 |
176 void BrowserPpapiHostImpl::RemoveInstanceObserver(PP_Instance instance, | 189 void BrowserPpapiHostImpl::RemoveInstanceObserver(PP_Instance instance, |
177 InstanceObserver* observer) { | 190 InstanceObserver* observer) { |
178 auto it = instance_map_.find(instance); | 191 auto it = instance_map_.find(instance); |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
235 | 248 |
236 BrowserPpapiHostImpl::InstanceData::InstanceData( | 249 BrowserPpapiHostImpl::InstanceData::InstanceData( |
237 const PepperRendererInstanceData& renderer_data) | 250 const PepperRendererInstanceData& renderer_data) |
238 : renderer_data(renderer_data), is_throttled(false) { | 251 : renderer_data(renderer_data), is_throttled(false) { |
239 } | 252 } |
240 | 253 |
241 BrowserPpapiHostImpl::InstanceData::~InstanceData() { | 254 BrowserPpapiHostImpl::InstanceData::~InstanceData() { |
242 } | 255 } |
243 | 256 |
244 } // namespace content | 257 } // namespace content |
OLD | NEW |