Prevent potential UAF in PrintCompositeClient.

Identify RenderFrameHosts using ID pairs instead of raw pointers, to make it possible to check if the IDs are still valid when used later. Bug: 1106342 Change-Id: I8ada468136a61eb837ad7d8b092915d17e958e45 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2305191Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Jeongeun Kim <je_julie.kim@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> Cr-Commit-Position: refs/heads/master@{#791150}

Prevent potential UAF in PrintCompositeClient.
Identify RenderFrameHosts using ID pairs instead of raw pointers, to make it possible to check if the IDs are still valid when used later. Bug: 1106342 Change-Id: I8ada468136a61eb837ad7d8b092915d17e958e45 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2305191Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Jeongeun Kim <je_julie.kim@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> Cr-Commit-Position: refs/heads/master@{#791150}
d32bde94 · Lei Zhang · Commit Bot · 3860e808 · d32bde94 · d32bde94
Commit d32bde94 authored Jul 23, 2020 by Lei Zhang Committed by Commit Bot Jul 23, 2020
2 changed files
--- a/components/printing/browser/print_composite_client.cc
+++ b/components/printing/browser/print_composite_client.cc
@@ -118,7 +118,8 @@ void PrintCompositeClient::RenderFrameDeleted(
 }

 void PrintCompositeClient::OnDidPrintFrameContent(
-    content::RenderFrameHost* render_frame_host,
+    int render_process_id,
+    int render_frame_id,
    int document_cookie,
    mojom::DidPrintContentParamsPtr params) {
  auto* outer_contents = web_contents()->GetOuterWebContents();
@@ -131,14 +132,19 @@ void PrintCompositeClient::OnDidPrintFrameContent(
    // contents nested in multiple layers.
    auto* outer_client = PrintCompositeClient::FromWebContents(outer_contents);
    DCHECK(outer_client);
-    outer_client->OnDidPrintFrameContent(render_frame_host, document_cookie,
-                                         std::move(params));
+    outer_client->OnDidPrintFrameContent(render_process_id, render_frame_id,
+                                         document_cookie, std::move(params));
    return;
  }

  if (document_cookie_ != document_cookie)
    return;

+  auto* render_frame_host =
+      content::RenderFrameHost::FromID(render_process_id, render_frame_id);
+  if (!render_frame_host)
+    return;
+
  // Content in |params| is sent from untrusted source; only minimal processing
  // is done here. Most of it will be directly forwarded to print compositor
  // service.
@@ -182,11 +188,14 @@ void PrintCompositeClient::PrintCrossProcessSubframe(
  }

  // Send the request to the destination frame.
+  int render_process_id = subframe_host->GetProcess()->GetID();
+  int render_frame_id = subframe_host->GetRoutingID();
  GetPrintRenderFrame(subframe_host)
      ->PrintFrameContent(
          std::move(params),
          base::BindOnce(&PrintCompositeClient::OnDidPrintFrameContent,
-                         weak_ptr_factory_.GetWeakPtr(), subframe_host));
+                         weak_ptr_factory_.GetWeakPtr(), render_process_id,
+                         render_frame_id));
  pending_subframes_.insert(subframe_host);
 }


--- a/components/printing/browser/print_composite_client.h
+++ b/components/printing/browser/print_composite_client.h
@@ -114,7 +114,8 @@ class PrintCompositeClient
      mojom::PrintCompositor::Status status,
      base::ReadOnlySharedMemoryRegion region);

-  void OnDidPrintFrameContent(content::RenderFrameHost* render_frame_host,
+  void OnDidPrintFrameContent(int render_process_id,
+                              int render_frame_id,
                              int document_cookie,
                              mojom::DidPrintContentParamsPtr params);