diff options
| author | Guido Urdaneta <guidou@chromium.org> | 2022-11-15 16:01:51 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-02-20 15:08:28 +0000 |
| commit | a6b342a50a4f7a5bc8c193a480d2c3f52e9b0956 (patch) | |
| tree | b0f10906597f94d28f05a6ba6f9e446cbfc7bf42 /chromium | |
| parent | 236a983ef8de393064fe7b3ffbadb20fe44a32ca (diff) | |
| download | qtwebengine-chromium-a6b342a50a4f7a5bc8c193a480d2c3f52e9b0956.tar.gz | |
[Backport] Security bug 829317 (2/2)
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4025933:
[MediaStream] Use bad message for unexpected OnStreamStarted IPC in MSDH
Originally we were using a DCHECK, but crashing the renderer process is
a safer option since a well-behaved renderer should not send it.
Bug: 829317
Change-Id: I41be62b11ecce82c94a56c604e8475be9071fbf5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4025933
Reviewed-by: Elad Alon <eladalon@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1071628}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/461078
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium')
| -rw-r--r-- | chromium/content/browser/bad_message.h | 1 | ||||
| -rw-r--r-- | chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc | 8 | ||||
| -rw-r--r-- | chromium/tools/metrics/histograms/enums.xml | 1 |
3 files changed, 8 insertions, 2 deletions
diff --git a/chromium/content/browser/bad_message.h b/chromium/content/browser/bad_message.h index 8b0350cbc16..2a92514c8e2 100644 --- a/chromium/content/browser/bad_message.h +++ b/chromium/content/browser/bad_message.h @@ -311,6 +311,7 @@ enum BadMessageReason { FF_FROZEN_SANDBOX_FLAGS_CHANGED = 284, MSM_GET_OPEN_DEVICE_FOR_UNSUPPORTED_STREAM_TYPE = 285, MSDH_KEEP_DEVICE_ALIVE_USE_WITHOUT_FEATURE = 286, + MSDH_ON_STREAM_STARTED_DISALLOWED = 292, // Please add new elements here. The naming convention is abbreviated class // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the diff --git a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc index 5ba244698fe..de1fc9d6785 100644 --- a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc +++ b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc @@ -598,8 +598,12 @@ void MediaStreamDispatcherHost::SetCapturingLinkSecured( void MediaStreamDispatcherHost::OnStreamStarted(const std::string& label) { DCHECK_CURRENTLY_ON(BrowserThread::IO); - DCHECK(!base::FeatureList::IsEnabled( - blink::features::kStartMediaStreamCaptureIndicatorInBrowser)); + if (base::FeatureList::IsEnabled( + blink::features::kStartMediaStreamCaptureIndicatorInBrowser)) { + ReceivedBadMessage(render_process_id_, + bad_message::MSDH_ON_STREAM_STARTED_DISALLOWED); + return; + } media_stream_manager_->OnStreamStarted(label); } diff --git a/chromium/tools/metrics/histograms/enums.xml b/chromium/tools/metrics/histograms/enums.xml index 37c1ce60163..1e7df32e410 100644 --- a/chromium/tools/metrics/histograms/enums.xml +++ b/chromium/tools/metrics/histograms/enums.xml @@ -10815,6 +10815,7 @@ Called by update_bad_message_reasons.py.--> <int value="284" label="FF_FROZEN_SANDBOX_FLAGS_CHANGED"/> <int value="285" label="MSM_GET_OPEN_DEVICE_FOR_UNSUPPORTED_STREAM_TYPE"/> <int value="286" label="MSDH_KEEP_DEVICE_ALIVE_USE_WITHOUT_FEATURE"/> + <int value="292" label="MSDH_ON_STREAM_STARTED_DISALLOWED"/> </enum> <enum name="BadMessageReasonExtensions"> |