AppCache: Defend against bad IPC messages.

BUG=487286

Review URL: https://codereview.chromium.org/1137463006

Cr-Commit-Position: refs/heads/master@{#330443}

content/browser/appcache/appcache_backend_impl.cc

@@ -68,7 +68,7 @@ bool AppCacheBackendImpl::SelectCache(
     const int64 cache_document_was_loaded_from,
     const GURL& manifest_url) {
   AppCacheHost* host = GetHost(host_id);
-  if (!host)
+  if (!host || host->was_select_cache_called())
     return false;
 
   host->SelectCache(document_url, cache_document_was_loaded_from,
@@ -79,7 +79,7 @@ bool AppCacheBackendImpl::SelectCache(
 bool AppCacheBackendImpl::SelectCacheForWorker(
     int host_id, int parent_process_id, int parent_host_id) {
   AppCacheHost* host = GetHost(host_id);
-  if (!host)
+  if (!host || host->was_select_cache_called())
     return false;
 
   host->SelectCacheForWorker(parent_process_id, parent_host_id);
@@ -89,7 +89,7 @@ bool AppCacheBackendImpl::SelectCacheForWorker(
 bool AppCacheBackendImpl::SelectCacheForSharedWorker(
     int host_id, int64 appcache_id) {
   AppCacheHost* host = GetHost(host_id);
-  if (!host)
+  if (!host || host->was_select_cache_called())
     return false;
 
   host->SelectCacheForSharedWorker(appcache_id);

content/browser/appcache/appcache_host.cc

@@ -49,6 +49,7 @@ AppCacheHost::AppCacheHost(int host_id, AppCacheFrontend* frontend,
       parent_host_id_(kAppCacheNoHostId), parent_process_id_(0),
       pending_main_resource_cache_id_(kAppCacheNoCacheId),
       pending_selected_cache_id_(kAppCacheNoCacheId),
+      was_select_cache_called_(false),
       is_cache_selection_enabled_(true),
       frontend_(frontend), service_(service),
       storage_(service->storage()),
@@ -85,8 +86,9 @@ void AppCacheHost::SelectCache(const GURL& document_url,
   DCHECK(pending_start_update_callback_.is_null() &&
          pending_swap_cache_callback_.is_null() &&
          pending_get_status_callback_.is_null() &&
-         !is_selection_pending());
+         !is_selection_pending() && !was_select_cache_called_);
 
+  was_select_cache_called_ = true;
   if (!is_cache_selection_enabled_) {
     FinishCacheSelection(NULL, NULL);
     return;
@@ -152,8 +154,9 @@ void AppCacheHost::SelectCacheForWorker(int parent_process_id,
   DCHECK(pending_start_update_callback_.is_null() &&
          pending_swap_cache_callback_.is_null() &&
          pending_get_status_callback_.is_null() &&
-         !is_selection_pending());
+         !is_selection_pending() && !was_select_cache_called_);
 
+  was_select_cache_called_ = true;
   parent_process_id_ = parent_process_id;
   parent_host_id_ = parent_host_id;
   FinishCacheSelection(NULL, NULL);
@@ -163,8 +166,9 @@ void AppCacheHost::SelectCacheForSharedWorker(int64 appcache_id) {
   DCHECK(pending_start_update_callback_.is_null() &&
          pending_swap_cache_callback_.is_null() &&
          pending_get_status_callback_.is_null() &&
-         !is_selection_pending());
+         !is_selection_pending() && !was_select_cache_called_);
 
+  was_select_cache_called_ = true;
   if (appcache_id != kAppCacheNoCacheId) {
     LoadSelectedCache(appcache_id);
     return;

content/browser/appcache/appcache_host.h

@@ -163,6 +163,7 @@ class CONTENT_EXPORT AppCacheHost
   AppCacheStorage* storage() const { return storage_; }
   AppCacheFrontend* frontend() const { return frontend_; }
   AppCache* associated_cache() const { return associated_cache_.get(); }
+  bool was_select_cache_called() const { return was_select_cache_called_; }
 
   void enable_cache_selection(bool enable) {
     is_cache_selection_enabled_ = enable;
@@ -269,6 +270,9 @@ class CONTENT_EXPORT AppCacheHost
   int64 pending_selected_cache_id_;
   GURL pending_selected_manifest_url_;
 
+  // Used to defend against bad IPC messages.
+  bool was_select_cache_called_;
+
   // Used to avoid stepping on pages controlled by ServiceWorkers.
   bool is_cache_selection_enabled_;