Raw Clipboard: Ensure Renderer is still active before use.

Ensure the RenderFrameHost is still active before use. Previously, RawClipboardHostImpl incorrectly assumed that the RenderFrameHost was guaranteed to outlive the RawClipboardHostImpl, and didn't check that the renderer was always still active. Bug: 1101509 Change-Id: I3e503634be50b1ca60e4c00131546c2337e4176a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2411673Reviewed-by: Scott Violet <sky@chromium.org> Commit-Queue: Darwin Huang <huangdarwin@chromium.org> Cr-Commit-Position: refs/heads/master@{#809201}

Raw Clipboard: Ensure Renderer is still active before use.
Ensure the RenderFrameHost is still active before use. Previously, RawClipboardHostImpl incorrectly assumed that the RenderFrameHost was guaranteed to outlive the RawClipboardHostImpl, and didn't check that the renderer was always still active. Bug: 1101509 Change-Id: I3e503634be50b1ca60e4c00131546c2337e4176a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2411673Reviewed-by: Scott Violet <sky@chromium.org> Commit-Queue: Darwin Huang <huangdarwin@chromium.org> Cr-Commit-Position: refs/heads/master@{#809201}
70af807c · Darwin Huang · Commit Bot · e27f70d0 · 70af807c · 70af807c
Commit 70af807c authored Sep 22, 2020 by Darwin Huang Committed by Commit Bot Sep 22, 2020
2 changed files
--- a/content/browser/renderer_host/raw_clipboard_host_impl.cc
+++ b/content/browser/renderer_host/raw_clipboard_host_impl.cc
@@ -24,19 +24,6 @@

 namespace content {

-namespace {
-
-std::unique_ptr<ui::ClipboardDataEndpoint> CreateDataEndpoint(
-    RenderFrameHost* render_frame_host) {
-  if (render_frame_host)
-    return std::make_unique<ui::ClipboardDataEndpoint>(
-        render_frame_host->GetLastCommittedOrigin());
-
-  return nullptr;
-}
-
-}  // namespace
-
 void RawClipboardHostImpl::Create(
    RenderFrameHost* render_frame_host,
    mojo::PendingReceiver<blink::mojom::RawClipboardHost> receiver) {
@@ -93,12 +80,14 @@ RawClipboardHostImpl::~RawClipboardHostImpl() {
 RawClipboardHostImpl::RawClipboardHostImpl(
    mojo::PendingReceiver<blink::mojom::RawClipboardHost> receiver,
    RenderFrameHost* render_frame_host)
-    : receiver_(this, std::move(receiver)),
+    : render_frame_routing_id_(
+          GlobalFrameRoutingId(render_frame_host->GetProcess()->GetID(),
+                               render_frame_host->GetRoutingID())),
+      receiver_(this, std::move(receiver)),
      clipboard_(ui::Clipboard::GetForCurrentThread()),
      clipboard_writer_(
          new ui::ScopedClipboardWriter(ui::ClipboardBuffer::kCopyPaste,
-                                        CreateDataEndpoint(render_frame_host))),
-      render_frame_host_(render_frame_host) {
+                                        CreateDataEndpoint())) {
  DCHECK(render_frame_host);
 }

@@ -108,8 +97,7 @@ void RawClipboardHostImpl::ReadAvailableFormatNames(
    return;
  std::vector<base::string16> raw_types =
      clipboard_->ReadAvailablePlatformSpecificFormatNames(
-          ui::ClipboardBuffer::kCopyPaste,
-          CreateDataEndpoint(render_frame_host_).get());
+          ui::ClipboardBuffer::kCopyPaste, CreateDataEndpoint().get());
  std::move(callback).Run(raw_types);
 }

@@ -125,7 +113,7 @@ void RawClipboardHostImpl::Read(const base::string16& format,
  std::string result;
  clipboard_->ReadData(
      ui::ClipboardFormatType::GetType(base::UTF16ToUTF8(format)),
-      CreateDataEndpoint(render_frame_host_).get(), &result);
+      CreateDataEndpoint().get(), &result);
  base::span<const uint8_t> span(
      reinterpret_cast<const uint8_t*>(result.data()), result.size());
  mojo_base::BigBuffer buffer = mojo_base::BigBuffer(span);
@@ -171,15 +159,31 @@ void RawClipboardHostImpl::Write(const base::string16& format,

 void RawClipboardHostImpl::CommitWrite() {
  clipboard_writer_ = std::make_unique<ui::ScopedClipboardWriter>(
-      ui::ClipboardBuffer::kCopyPaste, CreateDataEndpoint(render_frame_host_));
+      ui::ClipboardBuffer::kCopyPaste, CreateDataEndpoint());
+}
+
+std::unique_ptr<ui::ClipboardDataEndpoint>
+RawClipboardHostImpl::CreateDataEndpoint() {
+  RenderFrameHostImpl* render_frame_host =
+      RenderFrameHostImpl::FromID(render_frame_routing_id_);
+  if (!render_frame_host)
+    return nullptr;
+
+  return std::make_unique<ui::ClipboardDataEndpoint>(
+      render_frame_host->GetLastCommittedOrigin());
 }

 bool RawClipboardHostImpl::HasTransientUserActivation() const {
+  RenderFrameHostImpl* render_frame_host =
+      RenderFrameHostImpl::FromID(render_frame_routing_id_);
+  if (!render_frame_host)
+    return false;
+
  // Renderer process should already check for user activation before sending
  // this request. Double check in case of compromised renderer.
  // mojo::ReportBadMessage() is not appropriate here, because user activation
  // may expire after the renderer check but before the browser check.
-  return render_frame_host_->HasTransientUserActivation();
+  return render_frame_host->HasTransientUserActivation();
 }

 }  // namespace content
--- a/content/browser/renderer_host/raw_clipboard_host_impl.h
+++ b/content/browser/renderer_host/raw_clipboard_host_impl.h
@@ -44,15 +44,15 @@ class CONTENT_EXPORT RawClipboardHostImpl
  void Write(const base::string16& format, mojo_base::BigBuffer data) override;
  void CommitWrite() override;

+  std::unique_ptr<ui::ClipboardDataEndpoint> CreateDataEndpoint();
  bool HasTransientUserActivation() const;

+  // The render frame is not owned.
+  const GlobalFrameRoutingId render_frame_routing_id_;
+
  mojo::Receiver<blink::mojom::RawClipboardHost> receiver_;
  ui::Clipboard* const clipboard_;  // Not owned.
  std::unique_ptr<ui::ScopedClipboardWriter> clipboard_writer_;
-  // Not owned. Raw pointer usage is safe here because RawClipboardHostImpl is
-  // per-frame, so |render_frame_host_| is guaranteed to outlive the
-  // RawClipboardHostImpl.
-  RenderFrameHost* const render_frame_host_;
 };

 }  // namespace content