Validate cookies in PrintCompositeClient

Make sure callers of GetCompositeRequest() are passing a valid cookie.

Fixed: 1124155
Change-Id: Idb3b88c29de39c17ac3a67f7905e73e924c35316
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2390994
Commit-Queue: Daniel Hosseinian <dhoss@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#804095}

components/printing/browser/print_composite_client.cc

@@ -137,7 +137,7 @@ void PrintCompositeClient::OnDidPrintFrameContent(
     return;
   }
 
-  if (document_cookie_ != document_cookie)
+  if (!IsDocumentCookieValid(document_cookie))
     return;
 
   auto* render_frame_host =
@@ -163,6 +163,9 @@ void PrintCompositeClient::OnDidPrintFrameContent(
 void PrintCompositeClient::OnAccessibilityTree(
     int document_cookie,
     const ui::AXTreeUpdate& accessibility_tree) {
+  if (!IsDocumentCookieValid(document_cookie))
+    return;
+
   auto* compositor = GetCompositeRequest(document_cookie);
   compositor->SetAccessibilityTree(accessibility_tree);
 }
@@ -174,6 +177,9 @@ void PrintCompositeClient::PrintCrossProcessSubframe(
     content::RenderFrameHost* subframe_host) {
   auto params = mojom::PrintFrameContentParams::New(rect, document_cookie);
   if (!subframe_host->IsRenderFrameLive()) {
+    if (!IsDocumentCookieValid(document_cookie))
+      return;
+
     // When the subframe is dead, no need to send message,
     // just notify the service.
     auto* compositor = GetCompositeRequest(document_cookie);
@@ -206,6 +212,9 @@ void PrintCompositeClient::DoCompositePageToPdf(
     mojom::PrintCompositor::CompositePageToPdfCallback callback) {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
 
+  if (!IsDocumentCookieValid(document_cookie))
+    return;
+
   auto* compositor = GetCompositeRequest(document_cookie);
   auto region = content.metafile_data_region.Duplicate();
   compositor->CompositePageToPdf(
@@ -236,6 +245,9 @@ void PrintCompositeClient::DoCompleteDocumentToPdf(
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
   DCHECK(GetIsDocumentConcurrentlyComposited(document_cookie));
 
+  if (!IsDocumentCookieValid(document_cookie))
+    return;
+
   auto* compositor = GetCompositeRequest(document_cookie);
 
   // Since this class owns compositor, compositor will be gone when this class
@@ -356,10 +368,13 @@ void PrintCompositeClient::RemoveCompositeRequest(int cookie) {
   is_doc_concurrently_composited_ = false;
 }
 
+bool PrintCompositeClient::IsDocumentCookieValid(int document_cookie) const {
+  return document_cookie != 0 && document_cookie == document_cookie_;
+}
+
 mojom::PrintCompositor* PrintCompositeClient::GetCompositeRequest(
     int cookie) const {
-  DCHECK_NE(0, document_cookie_);
-  DCHECK_EQ(document_cookie_, cookie);
+  DCHECK(IsDocumentCookieValid(cookie));
   DCHECK(compositor_.is_bound());
   return compositor_.get();
 }

components/printing/browser/print_composite_client.h

@@ -133,6 +133,9 @@ class PrintCompositeClient
   // Remove the existing composite request.
   void RemoveCompositeRequest(int cookie);
 
+  // Checks if the |document_cookie| is not 0 and matches |document_cookie_|.
+  bool IsDocumentCookieValid(int document_cookie) const;
+
   // Get the composite request of a document. |cookie| must be valid and equal
   // to |document_cookie_|.
   mojom::PrintCompositor* GetCompositeRequest(int cookie) const;