Validate cookies in PrintCompositeClient

Make sure callers of GetCompositeRequest() are passing a valid cookie. Fixed: 1124155 Change-Id: Idb3b88c29de39c17ac3a67f7905e73e924c35316 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2390994 Commit-Queue: Daniel Hosseinian <dhoss@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Cr-Commit-Position: refs/heads/master@{#804095}

Validate cookies in PrintCompositeClient
Make sure callers of GetCompositeRequest() are passing a valid cookie. Fixed: 1124155 Change-Id: Idb3b88c29de39c17ac3a67f7905e73e924c35316 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2390994 Commit-Queue: Daniel Hosseinian <dhoss@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Cr-Commit-Position: refs/heads/master@{#804095}
8d9a5cd6 · Daniel Hosseinian · Commit Bot · fb968b83 · 8d9a5cd6 · 8d9a5cd6
Commit 8d9a5cd6 authored Sep 03, 2020 by Daniel Hosseinian Committed by Commit Bot Sep 03, 2020
2 changed files
--- a/components/printing/browser/print_composite_client.cc
+++ b/components/printing/browser/print_composite_client.cc
@@ -137,7 +137,7 @@ void PrintCompositeClient::OnDidPrintFrameContent(
    return;
  }
-  if (document_cookie_ != document_cookie)
+  if (!IsDocumentCookieValid(document_cookie))
    return;
  auto* render_frame_host =
@@ -163,6 +163,9 @@ void PrintCompositeClient::OnDidPrintFrameContent(
 void PrintCompositeClient::OnAccessibilityTree(
    int document_cookie,
    const ui::AXTreeUpdate& accessibility_tree) {
+  if (!IsDocumentCookieValid(document_cookie))
+    return;
  auto* compositor = GetCompositeRequest(document_cookie);
  compositor->SetAccessibilityTree(accessibility_tree);
 }
@@ -174,6 +177,9 @@ void PrintCompositeClient::PrintCrossProcessSubframe(
    content::RenderFrameHost* subframe_host) {
  auto params = mojom::PrintFrameContentParams::New(rect, document_cookie);
  if (!subframe_host->IsRenderFrameLive()) {
+    if (!IsDocumentCookieValid(document_cookie))
+      return;
    // When the subframe is dead, no need to send message,
    // just notify the service.
    auto* compositor = GetCompositeRequest(document_cookie);
@@ -206,6 +212,9 @@ void PrintCompositeClient::DoCompositePageToPdf(
    mojom::PrintCompositor::CompositePageToPdfCallback callback) {
  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  if (!IsDocumentCookieValid(document_cookie))
+    return;
  auto* compositor = GetCompositeRequest(document_cookie);
  auto region = content.metafile_data_region.Duplicate();
  compositor->CompositePageToPdf(
@@ -236,6 +245,9 @@ void PrintCompositeClient::DoCompleteDocumentToPdf(
  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
  DCHECK(GetIsDocumentConcurrentlyComposited(document_cookie));
+  if (!IsDocumentCookieValid(document_cookie))
+    return;
  auto* compositor = GetCompositeRequest(document_cookie);
  // Since this class owns compositor, compositor will be gone when this class
@@ -356,10 +368,13 @@ void PrintCompositeClient::RemoveCompositeRequest(int cookie) {
  is_doc_concurrently_composited_ = false;
 }
+bool PrintCompositeClient::IsDocumentCookieValid(int document_cookie) const {
+  return document_cookie != 0 && document_cookie == document_cookie_;
+}
 mojom::PrintCompositor* PrintCompositeClient::GetCompositeRequest(
    int cookie) const {
-  DCHECK_NE(0, document_cookie_);
+  DCHECK(IsDocumentCookieValid(cookie));
-  DCHECK_EQ(document_cookie_, cookie);
  DCHECK(compositor_.is_bound());
  return compositor_.get();
 }

--- a/components/printing/browser/print_composite_client.h
+++ b/components/printing/browser/print_composite_client.h
@@ -133,6 +133,9 @@ class PrintCompositeClient
  // Remove the existing composite request.
  void RemoveCompositeRequest(int cookie);
+  // Checks if the |document_cookie| is not 0 and matches |document_cookie_|.
+  bool IsDocumentCookieValid(int document_cookie) const;
  // Get the composite request of a document. |cookie| must be valid and equal
  // to |document_cookie_|.
  mojom::PrintCompositor* GetCompositeRequest(int cookie) const;