Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(54)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 507037: Returns an error immediately without sending IPC message when a font family n... (Closed)

Created:
11 years ago by Yusuke Sato
Modified:
9 years, 7 months ago
Reviewers:
agl
CC:
chromium-reviews_googlegroups.com, brettw+cc_chromium.org, darin (slow to review), jam, ben+cc_chromium.org
Visibility:
Public.

Description

Returns an error immediately without sending IPC message when a font family name to resolve is too long. This change is important when a site has @font-face rule like: // http://paulirish.com/webkit-fontface-hang.html @font-face{font-family:testfont;src:url('data:font/ttf;base64,AA.....<<looooooooooong base64 data>>.....aQ==')} In such a case, WebCore first calls SkFontHost::CreateTypeface() with the (possibly very long) data-uri string itself, then calls SkFontHost::CreateTypefaceFromStream() with decoded byte stream. Since render_sandbox_host_linux.cc just ignores too long IPC message, the renderer process could block indefinitely waiting for a reply inside recvmsg() system call called from SkFontHost::CreateTypeface(). I'm not sure if the WebCore behavior (i.e. calling CreateTypeface with data-uris) is reasonable, but I believe the Skia part is better to be fixed anyway. Non data-uri font family names could be very long too: @font-face{font-family:testfont;src:local('AA........AA');} BUG=29861 TEST=First, set up your Linux SUID Sandbox binary: http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment. Then start Chromium and visit http://paulirish.com/webkit-fontface-hang.html or http://typekit.com/. Verify that the renderer does not freeze. Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=34915

Patch Set 1 #

Total comments: 6

Patch Set 2 : '' #

Unified diffs Side-by-side diffs Delta from patch set Stats (+22 lines, -4 lines) Patch
M chrome/browser/renderer_host/render_sandbox_host_linux.cc View 1 1 chunk +12 lines, -3 lines 0 comments Download
M skia/ext/SkFontHost_fontconfig_direct.cpp View 1 chunk +3 lines, -0 lines 0 comments Download
M skia/ext/SkFontHost_fontconfig_impl.h View 2 chunks +4 lines, -1 line 0 comments Download
M skia/ext/SkFontHost_fontconfig_ipc.cpp View 1 chunk +3 lines, -0 lines 0 comments Download

Messages

Total messages: 3 (0 generated)
Yusuke Sato
11 years ago (2009-12-17 13:38:08 UTC) #1
agl
LGTM http://codereview.chromium.org/507037/diff/1/5 File chrome/browser/renderer_host/render_sandbox_host_linux.cc (right): http://codereview.chromium.org/507037/diff/1/5#newcode105 chrome/browser/renderer_host/render_sandbox_host_linux.cc:105: // bytes long (all other messages are smaller ...
11 years ago (2009-12-17 18:11:38 UTC) #2
Yusuke Sato
11 years ago (2009-12-18 01:14:09 UTC) #3 
Thanks, submitting.

http://codereview.chromium.org/507037/diff/1/5
File chrome/browser/renderer_host/render_sandbox_host_linux.cc (right):

http://codereview.chromium.org/507037/diff/1/5#newcode105
chrome/browser/renderer_host/render_sandbox_host_linux.cc:105: // bytes long
(all other messages are smaller than the message).
On 2009/12/17 18:11:38, agl wrote:
> (all other ...) -> (this is the largest message type)

Done.

http://codereview.chromium.org/507037/diff/1/5#newcode106
chrome/browser/renderer_host/render_sandbox_host_linux.cc:106: // 128 byets
padding are necessary so recvmsg() does not return MSG_TRUNC
On 2009/12/17 18:11:38, agl wrote:
> byets -> bytes.

Done.

http://codereview.chromium.org/507037/diff/1/5#newcode113
chrome/browser/renderer_host/render_sandbox_host_linux.cc:113: NOTREACHED() <<
"The message is larger than kMaxFontFamilyLength??";
On 2009/12/17 18:11:38, agl wrote:
> "The m" -> "Sandbox host m"
> "??" -> ""

Done.

Powered by Google App Engine
This is Rietveld 408576698