From 4646e31fd9660ccd987ac750eeba074c208a7ac1 Mon Sep 17 00:00:00 2001 From: Mikel Astiz Date: Fri, 30 Apr 2021 07:23:49 +0000 Subject: [Backport] CVE-2021-30516: Heap buffer overflow in History. Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2859102: Guard WebContents::DownloadImage() against malformed renderer response Callers expect that ImageDownloadCallback gets invoked with two vectors having the same number of elements (one containing the bitmaps and the other one the corresponding sizes). However, these vectors are populated directly from the Mojo response, so there needs to be some browser-process sanitization to protect against buggy or compromised renderers. In this patch, WebContentsImpl::OnDidDownloadImage() mimics a 400 error if the response is malformed, similarly to how it's done in other edge cases (renderer process dead upon download). Because this scenario is a violation of the Mojo API contract, the browser process also issues a bad message log (newly-introduced WCI_INVALID_DOWNLOAD_IMAGE_RESULT) and shuts down the renderer process. Change-Id: I29baa421b3590e9a9eeaee95a6e331c08dce5096 Fixed: 1201446 Reviewed-by: Avi Drissman Reviewed-by: Kentaro Hara Commit-Queue: Mikel Astiz Cr-Commit-Position: refs/heads/master@{#877817} Reviewed-by: Allan Sandfeld Jensen --- chromium/tools/metrics/histograms/enums.xml | 1 + 1 file changed, 1 insertion(+) (limited to 'chromium/tools') diff --git a/chromium/tools/metrics/histograms/enums.xml b/chromium/tools/metrics/histograms/enums.xml index f524d6df7fe..e4c8f6896b0 100644 --- a/chromium/tools/metrics/histograms/enums.xml +++ b/chromium/tools/metrics/histograms/enums.xml @@ -6487,6 +6487,7 @@ Called by update_bad_message_reasons.py.--> + -- cgit v1.2.1