Improve IndexedDB IPC message sanitization

Defend against a compromised renderer sending junk to the browser. BUG=174895 Review URL: https://chromiumcodereview.appspot.com/12208119 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@182008 0039d316-1c4b-4281-b951-d872f2087c98

Improve IndexedDB IPC message sanitization
Defend against a compromised renderer sending junk to the browser. BUG=174895 Review URL: https://chromiumcodereview.appspot.com/12208119 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@182008 0039d316-1c4b-4281-b951-d872f2087c98
cb9dcd96 · dgrogan@chromium.org · 4fd5ecbd · cb9dcd96
Commit cb9dcd96 authored Feb 12, 2013 by dgrogan@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

content/browser/in_process_webkit/indexed_db_dispatcher_host.cc ...t/browser/in_process_webkit/indexed_db_dispatcher_host.cc +15 -1

No files found.
--- a/content/browser/in_process_webkit/indexed_db_dispatcher_host.cc
+++ b/content/browser/in_process_webkit/indexed_db_dispatcher_host.cc
@@ -475,6 +475,12 @@ void IndexedDBDispatcherHost::DatabaseDispatcherHost::OnPut(
  scoped_ptr<WebIDBCallbacks> callbacks(
      new IndexedDBCallbacks<WebIDBKey>(parent_, params.ipc_thread_id,
                                        params.ipc_response_id));
+  if (params.index_ids.size() != params.index_keys.size()) {
+    callbacks->onError(WebIDBDatabaseError(
+        WebKit::WebIDBDatabaseExceptionUnknownError,
+        "Malformed IPC message: index_ids.size() != index_keys.size()"));
+    return;
+  }
  WebVector<unsigned char> value(params.value);
  int64 host_transaction_id = parent_->HostTransactionId(params.transaction_id);
@@ -499,7 +505,15 @@ void IndexedDBDispatcherHost::DatabaseDispatcherHost::OnSetIndexKeys(
  if (!database)
    return;
-  database->setIndexKeys(parent_->HostTransactionId(params.transaction_id),
+  int64 host_transaction_id = parent_->HostTransactionId(params.transaction_id);
+  if (params.index_ids.size() != params.index_keys.size()) {
+    database->abort(host_transaction_id, WebIDBDatabaseError(
+        WebKit::WebIDBDatabaseExceptionUnknownError,
+        "Malformed IPC message: index_ids.size() != index_keys.size()"));
+    return;
+  }
+  database->setIndexKeys(host_transaction_id,
                         params.object_store_id,
                         params.primary_key, params.index_ids,
                         params.index_keys);