chore: cherry-pick 229fdaf8fc05 from chromium (#26195)

2026-04-10 03:01:51 -04:00 · 2020-10-28 14:04:45 -07:00
parent 20af00374a
commit 3369263815
2 changed files with 65 additions and 0 deletions
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -135,4 +135,5 @@ cherry-pick-52dceba66599.patch
 cherry-pick-abc6ab85e704.patch
 avoid_use-after-free.patch
 cherry-pick-3b5f65c0aeca.patch
+cherry-pick-229fdaf8fc05.patch
 cherry-pick-88f263f401b4.patch
--- a/patches/chromium/cherry-pick-229fdaf8fc05.patch
+++ b/patches/chromium/cherry-pick-229fdaf8fc05.patch
@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Guido Urdaneta <guidou@chromium.org>
+Date: Wed, 14 Oct 2020 19:40:12 +0000
+Subject: Validate input of MediaStreamDispatcherHost::OpenDevice()
+
+This method forwards to MediaStreamManager::OpenDevice(), which
+DCHECKs for the stream type to be device video or audio capture
+(i.e., webcam or mic). However, MSDH admits other stream types,
+which cause MSM::OpenDevice to hit this DCHECK.
+
+This CL ensures that a message containing an incorrect stream type,
+which could be sent by a malicious renderer, results in killing the
+renderer process.
+
+Bug: 1135018
+Change-Id: I3884dde95d92c41f44966a8ab1dd7bdfd4b23b9b
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2472397
+Auto-Submit: Guido Urdaneta <guidou@chromium.org>
+Commit-Queue: Guido Urdaneta <guidou@chromium.org>
+Reviewed-by: Avi Drissman <avi@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#817151}
+
+diff --git a/content/browser/bad_message.h b/content/browser/bad_message.h
+index d29ce2e7422b66e53f7c27a25fb987237d6221e0..44147439a50096e09be41dbba14b5452d2268157 100644
+--- a/content/browser/bad_message.h
+++ b/content/browser/bad_message.h
+@@ -246,6 +246,7 @@ enum BadMessageReason {
+   MDDH_INVALID_STREAM_SELECTION_INFO = 218,
+   REGISTER_PROTOCOL_HANDLER_INVALID_URL = 219,
+   NC_SAME_DOCUMENT_POST_COMMIT_ERROR = 220,
+  MSDH_INVALID_STREAM_TYPE = 234,
+ 
+   // Please add new elements here. The naming convention is abbreviated class
+   // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the
+diff --git a/content/browser/renderer_host/media/media_stream_dispatcher_host.cc b/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
+index 1a3b5b446bbff28e60278bfe5f29e13acc3c5306..488b6746a3545f687159dabfee4dd278c1eaea0e 100644
+--- a/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
+++ b/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
+@@ -196,6 +196,13 @@ void MediaStreamDispatcherHost::OpenDevice(int32_t page_request_id,
+                                            blink::mojom::MediaStreamType type,
+                                            OpenDeviceCallback callback) {
+   DCHECK_CURRENTLY_ON(BrowserThread::IO);
+  // OpenDevice is only supported for microphone or webcam capture.
+  if (type != blink::mojom::MediaStreamType::DEVICE_AUDIO_CAPTURE &&
+      type != blink::mojom::MediaStreamType::DEVICE_VIDEO_CAPTURE) {
+    bad_message::ReceivedBadMessage(
+        render_process_id_, bad_message::MDDH_INVALID_DEVICE_TYPE_REQUEST);
+    return;
+  }
+ 
+   base::PostTaskAndReplyWithResult(
+       base::CreateSingleThreadTaskRunner({BrowserThread::UI}).get(), FROM_HERE,
+diff --git a/tools/metrics/histograms/enums.xml b/tools/metrics/histograms/enums.xml
+index d3b774e16ed7b99362119ba7a999fe8df6df0d84..2f6f37eaa989f4baf2c9dcab487f5545d392a89f 100644
+--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
+@@ -5362,6 +5362,7 @@ Unknown properties are collapsed to zero. -->
+   <int value="218" label="MDDH_INVALID_STREAM_SELECTION_INFO"/>
+   <int value="219" label="REGISTER_PROTOCOL_HANDLER_INVALID_URL"/>
+   <int value="220" label="NC_SAME_DOCUMENT_POST_COMMIT_ERROR"/>
+  <int value="234" label="MSDH_INVALID_STREAM_TYPE"/>
+ </enum>
+ 
+ <enum name="BadMessageReasonExtensions">