content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc - Issue 2955703002: Validate in-process plugin instance messages.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc

Issue 2955703002: Validate in-process plugin instance messages. (Closed)

Patch Set: Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc

diff --git a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc

index 998ef8ef4478d5c16f6cc520f7f9f2b1942ccf1e..36c26f84eb0aec688530f5def1d07002b94355ee 100644

--- a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc

+++ b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc

@@ -148,24 +148,37 @@ bool BrowserPpapiHostImpl::IsPotentiallySecurePluginContext(

void BrowserPpapiHostImpl::AddInstance(

PP_Instance instance,

const PepperRendererInstanceData& renderer_instance_data) {

- DCHECK(instance_map_.find(instance) == instance_map_.end());

- instance_map_[instance] =

- base::MakeUnique<InstanceData>(renderer_instance_data);

+ // NOTE: 'instance' may be coming from a compromised renderer process. We

+ // take care here to make sure an attacker can't overwrite data for an

+ // existing plugin instance.

+ // See http://crbug.com/733548.

+ if (instance_map_.find(instance) == instance_map_.end()) {

+ instance_map_[instance] =

+ base::MakeUnique<InstanceData>(renderer_instance_data);

+ } else {

+ NOTREACHED();

+ }

}

void BrowserPpapiHostImpl::DeleteInstance(PP_Instance instance) {

+ // NOTE: 'instance' may be coming from a compromised renderer process. We

+ // take care here to make sure an attacker can't cause a UAF by deleting a

+ // non-existent plugin instance.

+ // See http://crbug.com/733548.

auto it = instance_map_.find(instance);

- DCHECK(it != instance_map_.end());

- // We need to tell the observers for that instance that we are destroyed

- // because we won't have the opportunity to once we remove them from the

- // |instance_map_|. If the instance was deleted, observers for those instances

- // should never call back into the host anyway, so it is safe to tell them

- // that the host is destroyed.

- for (auto& observer : it->second->observer_list)

- observer.OnHostDestroyed();

+ if (it != instance_map_.end()) {

+ // We need to tell the observers for that instance that we are destroyed

+ // because we won't have the opportunity to once we remove them from the

+ // |instance_map_|. If the instance was deleted, observers for those

+ // instances should never call back into the host anyway, so it is safe to

+ // tell them that the host is destroyed.

+ for (auto& observer : it->second->observer_list)

+ observer.OnHostDestroyed();

- instance_map_.erase(it);

+ instance_map_.erase(it);

+ } else {

+ NOTREACHED();

+ }

}

void BrowserPpapiHostImpl::AddInstanceObserver(PP_Instance instance,

« no previous file with comments | « no previous file | content/browser/renderer_host/pepper/pepper_renderer_connection.cc » ('j') | no next file with comments »