From 0aecd620c58d24c852884732ac05e74d7b617889 Mon Sep 17 00:00:00 2001
From: Guido Urdaneta <guidou@chromium.org>
Date: Tue, 15 Nov 2022 16:01:51 +0000
Subject: [Backport] Security bug 829317 (2/2)

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4025933:
[MediaStream] Use bad message for unexpected OnStreamStarted IPC in MSDH

Originally we were using a DCHECK, but crashing the renderer process is
a safer option since a well-behaved renderer should not send it.

Bug: 829317
Change-Id: I41be62b11ecce82c94a56c604e8475be9071fbf5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4025933
Reviewed-by: Elad Alon <eladalon@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1071628}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460502
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/content/browser/bad_message.h                            | 1 +
 .../browser/renderer_host/media/media_stream_dispatcher_host.cc   | 8 ++++++--
 chromium/tools/metrics/histograms/enums.xml                       | 1 +
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/chromium/content/browser/bad_message.h b/chromium/content/browser/bad_message.h
index ad07523e86c..a0c03b39c57 100644
--- a/chromium/content/browser/bad_message.h
+++ b/chromium/content/browser/bad_message.h
@@ -302,6 +302,7 @@ enum BadMessageReason {
   FF_DIFFERENT_MODE_THAN_EMBEDDER = 275,
   RFHI_UNFENCED_TOP_IPC_OUTSIDE_FENCED_FRAME = 276,
   FF_NAVIGATION_INVALID_URL = 277,
+  MSDH_ON_STREAM_STARTED_DISALLOWED = 292,
 
   // Please add new elements here. The naming convention is abbreviated class
   // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the
diff --git a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
index ba730b67353..b6f01380676 100644
--- a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
+++ b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
@@ -529,8 +529,12 @@ void MediaStreamDispatcherHost::SetCapturingLinkSecured(
 void MediaStreamDispatcherHost::OnStreamStarted(const std::string& label) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
 
-  DCHECK(!base::FeatureList::IsEnabled(
-      blink::features::kStartMediaStreamCaptureIndicatorInBrowser));
+  if (base::FeatureList::IsEnabled(
+          blink::features::kStartMediaStreamCaptureIndicatorInBrowser)) {
+    ReceivedBadMessage(render_process_id_,
+                       bad_message::MSDH_ON_STREAM_STARTED_DISALLOWED);
+    return;
+  }
   media_stream_manager_->OnStreamStarted(label);
 }
 
diff --git a/chromium/tools/metrics/histograms/enums.xml b/chromium/tools/metrics/histograms/enums.xml
index 5f76451a1d6..03352a4fd0e 100644
--- a/chromium/tools/metrics/histograms/enums.xml
+++ b/chromium/tools/metrics/histograms/enums.xml
@@ -8744,6 +8744,7 @@ Called by update_bad_message_reasons.py.-->
   <int value="275" label="FF_DIFFERENT_MODE_THAN_EMBEDDER"/>
   <int value="276" label="RFHI_UNFENCED_TOP_IPC_OUTSIDE_FENCED_FRAME"/>
   <int value="277" label="FF_NAVIGATION_INVALID_URL"/>
+  <int value="292" label="MSDH_ON_STREAM_STARTED_DISALLOWED"/>
 </enum>
 
 <enum name="BadMessageReasonExtensions">
-- 
cgit v1.2.1