Index: content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc |
diff --git a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc |
index 998ef8ef4478d5c16f6cc520f7f9f2b1942ccf1e..36c26f84eb0aec688530f5def1d07002b94355ee 100644 |
--- a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc |
+++ b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc |
@@ -148,24 +148,37 @@ bool BrowserPpapiHostImpl::IsPotentiallySecurePluginContext( |
void BrowserPpapiHostImpl::AddInstance( |
PP_Instance instance, |
const PepperRendererInstanceData& renderer_instance_data) { |
- DCHECK(instance_map_.find(instance) == instance_map_.end()); |
- instance_map_[instance] = |
- base::MakeUnique<InstanceData>(renderer_instance_data); |
+ // NOTE: 'instance' may be coming from a compromised renderer process. We |
+ // take care here to make sure an attacker can't overwrite data for an |
+ // existing plugin instance. |
+ // See http://crbug.com/733548. |
+ if (instance_map_.find(instance) == instance_map_.end()) { |
+ instance_map_[instance] = |
+ base::MakeUnique<InstanceData>(renderer_instance_data); |
+ } else { |
+ NOTREACHED(); |
+ } |
} |
void BrowserPpapiHostImpl::DeleteInstance(PP_Instance instance) { |
+ // NOTE: 'instance' may be coming from a compromised renderer process. We |
+ // take care here to make sure an attacker can't cause a UAF by deleting a |
+ // non-existent plugin instance. |
+ // See http://crbug.com/733548. |
auto it = instance_map_.find(instance); |
- DCHECK(it != instance_map_.end()); |
- |
- // We need to tell the observers for that instance that we are destroyed |
- // because we won't have the opportunity to once we remove them from the |
- // |instance_map_|. If the instance was deleted, observers for those instances |
- // should never call back into the host anyway, so it is safe to tell them |
- // that the host is destroyed. |
- for (auto& observer : it->second->observer_list) |
- observer.OnHostDestroyed(); |
+ if (it != instance_map_.end()) { |
+ // We need to tell the observers for that instance that we are destroyed |
+ // because we won't have the opportunity to once we remove them from the |
+ // |instance_map_|. If the instance was deleted, observers for those |
+ // instances should never call back into the host anyway, so it is safe to |
+ // tell them that the host is destroyed. |
+ for (auto& observer : it->second->observer_list) |
+ observer.OnHostDestroyed(); |
- instance_map_.erase(it); |
+ instance_map_.erase(it); |
+ } else { |
+ NOTREACHED(); |
+ } |
} |
void BrowserPpapiHostImpl::AddInstanceObserver(PP_Instance instance, |