Skip to content

GitLab

T
tangled
Commit 229fdaf8 authored by Guido Urdaneta's avatar Guido Urdaneta Committed by Commit Bot
Browse files
Options

Validate input of MediaStreamDispatcherHost::OpenDevice() 

This method forwards to MediaStreamManager::OpenDevice(), which
DCHECKs for the stream type to be device video or audio capture
(i.e., webcam or mic). However, MSDH admits other stream types,
which cause MSM::OpenDevice to hit this DCHECK.

This CL ensures that a message containing an incorrect stream type,
which could be sent by a malicious renderer, results in killing the
renderer process.

Bug: 1135018
Change-Id: I3884dde95d92c41f44966a8ab1dd7bdfd4b23b9b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2472397
Auto-Submit: Guido Urdaneta <guidou@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Reviewed-by: default avatarAvi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#817151}
parent 1e035724
Hide whitespace changes
Inline Side-by-side
Showing with 9 additions and 0 deletions
content/browser/bad_message.h
View file @ 229fdaf8
...@@ -259,6 +259,7 @@ enum BadMessageReason { ...@@ -259,6 +259,7 @@ enum BadMessageReason {
RFH_CSP_ATTRIBUTE = 231, RFH_CSP_ATTRIBUTE = 231,
RFH_RECEIVED_ASSOCIATED_MESSAGE_WHILE_BFCACHED = 232, RFH_RECEIVED_ASSOCIATED_MESSAGE_WHILE_BFCACHED = 232,
RWH_CLOSE_PORTAL = 233, RWH_CLOSE_PORTAL = 233,
MSDH_INVALID_STREAM_TYPE = 234,
// Please add new elements here. The naming convention is abbreviated class // Please add new elements here. The naming convention is abbreviated class
// name (e.g. RenderFrameHost becomes RFH) plus a unique description of the // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the
......
content/browser/renderer_host/media/media_stream_dispatcher_host.cc
View file @ 229fdaf8
...@@ -196,6 +196,13 @@ void MediaStreamDispatcherHost::OpenDevice(int32_t page_request_id, ...@@ -196,6 +196,13 @@ void MediaStreamDispatcherHost::OpenDevice(int32_t page_request_id,
blink::mojom::MediaStreamType type, blink::mojom::MediaStreamType type,
OpenDeviceCallback callback) { OpenDeviceCallback callback) {
DCHECK_CURRENTLY_ON(BrowserThread::IO); DCHECK_CURRENTLY_ON(BrowserThread::IO);
// OpenDevice is only supported for microphone or webcam capture.
if (type != blink::mojom::MediaStreamType::DEVICE_AUDIO_CAPTURE &&
type != blink::mojom::MediaStreamType::DEVICE_VIDEO_CAPTURE) {
bad_message::ReceivedBadMessage(
render_process_id_, bad_message::MDDH_INVALID_DEVICE_TYPE_REQUEST);
return;
}
base::PostTaskAndReplyWithResult( base::PostTaskAndReplyWithResult(
GetUIThreadTaskRunner({}).get(), FROM_HERE, GetUIThreadTaskRunner({}).get(), FROM_HERE,
......
tools/metrics/histograms/enums.xml
View file @ 229fdaf8
...@@ -6486,6 +6486,7 @@ Called by update_bad_message_reasons.py.--> ...@@ -6486,6 +6486,7 @@ Called by update_bad_message_reasons.py.-->
<int value="231" label="RFH_CSP_ATTRIBUTE"/> <int value="231" label="RFH_CSP_ATTRIBUTE"/>
<int value="232" label="RFH_RECEIVED_ASSOCIATED_MESSAGE_WHILE_BFCACHED"/> <int value="232" label="RFH_RECEIVED_ASSOCIATED_MESSAGE_WHILE_BFCACHED"/>
<int value="233" label="RWH_CLOSE_PORTAL"/> <int value="233" label="RWH_CLOSE_PORTAL"/>
<int value="234" label="MSDH_INVALID_STREAM_TYPE"/>
</enum> </enum>
<enum name="BadMessageReasonExtensions"> <enum name="BadMessageReasonExtensions">
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment