Fix and IPC fuzzer top crasher in OnWorkerScriptLoaded.

A compromised renderer can pass an arbitrary |provider_id|, so we should ensure that |provider_host| is not NULL and remove the DCHECK. See https://cluster-fuzz.appspot.com/testcase?key=4713217552023552 R=falken@chromium.org,nhiroki@chromium.org Review URL: https://codereview.chromium.org/901243002 Cr-Commit-Position: refs/heads/master@{#314881}

Fix and IPC fuzzer top crasher in OnWorkerScriptLoaded.
A compromised renderer can pass an arbitrary |provider_id|, so we should ensure that |provider_host| is not NULL and remove the DCHECK. See https://cluster-fuzz.appspot.com/testcase?key=4713217552023552 R=falken@chromium.org,nhiroki@chromium.org Review URL: https://codereview.chromium.org/901243002 Cr-Commit-Position: refs/heads/master@{#314881}
d35d0fb1 · mbarbella · Commit bot · fa5eafe0 · d35d0fb1
Commit d35d0fb1 authored Feb 05, 2015 by mbarbella Committed by Commit bot Feb 05, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

content/browser/service_worker/service_worker_dispatcher_host.cc .../browser/service_worker/service_worker_dispatcher_host.cc +5 -1

No files found.
--- a/content/browser/service_worker/service_worker_dispatcher_host.cc
+++ b/content/browser/service_worker/service_worker_dispatcher_host.cc
@@ -690,7 +690,11 @@ void ServiceWorkerDispatcherHost::OnWorkerScriptLoaded(
  ServiceWorkerProviderHost* provider_host =
      GetContext()->GetProviderHost(render_process_id_, provider_id);
-  DCHECK(provider_host);
+  if (!provider_host) {
+    BadMessageReceived();
+    return;
+  }
  provider_host->SetReadyToSendMessagesToWorker(thread_id);
  EmbeddedWorkerRegistry* registry = GetContext()->embedded_worker_registry();