diff options
| author | Guido Urdaneta <guidou@chromium.org> | 2022-11-15 16:01:51 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-02-17 08:36:55 +0000 |
| commit | 0aecd620c58d24c852884732ac05e74d7b617889 (patch) | |
| tree | cb60dc6f5436aa22b84b28314ceae4b8a238b26a | |
| parent | b476794afcf282bd66819a8920bad7007d1da516 (diff) | |
| download | qtwebengine-chromium-0aecd620c58d24c852884732ac05e74d7b617889.tar.gz | |
[Backport] Security bug 829317 (2/2)
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4025933:
[MediaStream] Use bad message for unexpected OnStreamStarted IPC in MSDH
Originally we were using a DCHECK, but crashing the renderer process is
a safer option since a well-behaved renderer should not send it.
Bug: 829317
Change-Id: I41be62b11ecce82c94a56c604e8475be9071fbf5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4025933
Reviewed-by: Elad Alon <eladalon@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1071628}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460502
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/content/browser/bad_message.h | 1 | ||||
| -rw-r--r-- | chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc | 8 | ||||
| -rw-r--r-- | chromium/tools/metrics/histograms/enums.xml | 1 |
3 files changed, 8 insertions, 2 deletions
diff --git a/chromium/content/browser/bad_message.h b/chromium/content/browser/bad_message.h index ad07523e86c..a0c03b39c57 100644 --- a/chromium/content/browser/bad_message.h +++ b/chromium/content/browser/bad_message.h @@ -302,6 +302,7 @@ enum BadMessageReason { FF_DIFFERENT_MODE_THAN_EMBEDDER = 275, RFHI_UNFENCED_TOP_IPC_OUTSIDE_FENCED_FRAME = 276, FF_NAVIGATION_INVALID_URL = 277, + MSDH_ON_STREAM_STARTED_DISALLOWED = 292, // Please add new elements here. The naming convention is abbreviated class // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the diff --git a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc index ba730b67353..b6f01380676 100644 --- a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc +++ b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc @@ -529,8 +529,12 @@ void MediaStreamDispatcherHost::SetCapturingLinkSecured( void MediaStreamDispatcherHost::OnStreamStarted(const std::string& label) { DCHECK_CURRENTLY_ON(BrowserThread::IO); - DCHECK(!base::FeatureList::IsEnabled( - blink::features::kStartMediaStreamCaptureIndicatorInBrowser)); + if (base::FeatureList::IsEnabled( + blink::features::kStartMediaStreamCaptureIndicatorInBrowser)) { + ReceivedBadMessage(render_process_id_, + bad_message::MSDH_ON_STREAM_STARTED_DISALLOWED); + return; + } media_stream_manager_->OnStreamStarted(label); } diff --git a/chromium/tools/metrics/histograms/enums.xml b/chromium/tools/metrics/histograms/enums.xml index 5f76451a1d6..03352a4fd0e 100644 --- a/chromium/tools/metrics/histograms/enums.xml +++ b/chromium/tools/metrics/histograms/enums.xml @@ -8744,6 +8744,7 @@ Called by update_bad_message_reasons.py.--> <int value="275" label="FF_DIFFERENT_MODE_THAN_EMBEDDER"/> <int value="276" label="RFHI_UNFENCED_TOP_IPC_OUTSIDE_FENCED_FRAME"/> <int value="277" label="FF_NAVIGATION_INVALID_URL"/> + <int value="292" label="MSDH_ON_STREAM_STARTED_DISALLOWED"/> </enum> <enum name="BadMessageReasonExtensions"> |